Eric Zimmerman Tools

EZ Tools Manuals
Andrew Rathbun and Eric Zimmerman

This book is for sale at http://leanpub.com/eztoolsmanuals
This version was published on 2022-12-03
ISBN 978-1-959497-02-8
This is a Leanpub book. Leanpub empowers authors and publishers with the Lean Publishing
process. Lean Publishing is the act of publishing an in-progress ebook using lightweight tools and
many iterations to get reader feedback, pivot until you have the right book and build traction once
you do.
© 2022 Andrew Rathbun and Eric Zimmerman

Tweet This Book!
Please help Andrew Rathbun and Eric Zimmerman by spreading the word about this book on
Twitter!
The suggested hashtag for this book is #eztoolsmanuals.
Find out what other people are saying about the book by clicking on this link to search for this
hashtag on Twitter:
#eztoolsmanuals
This book would not exist but for the heroic effort of Andrew Rathbun to suggest it and put in an
enormous amount of work to get it off the ground. I am in your debt sir!
Contents
Enabling Update Notifications on Leanpub . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Introduction to EZ Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
What are EZ Tools? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Download EZ Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
CLI vs GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
.NET 4 vs .NET 6 EZ Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
What is this book? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Mastering EZ Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Content by Eric Zimmerman . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Content by the DFIR Community about EZ Tools . . . . . . . . . . . . . . . . . . . . . . . . . 4
EZ Tools - Common Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Common Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
EZ Tools - PowerShell vs CMD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Common Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
EZ Tools - CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
AmcacheParser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
AmcacheParser Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
AmcacheParser Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
AmcacheParser Command Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
AmcacheParser Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
AmcacheParser Key Takeaways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
AmcacheParser References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
AppCompatCacheParser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
AppCompatCacheParser Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
AppCompatCacheParser Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
AppCompatCacheParser Command Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
AppCompatCacheParser Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
AppCompatCacheParser Key Takeaways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
AppCompatCacheParser References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
CONTENTS
bstrings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
bstrings Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
bstrings Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
bstrings Command Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
bstrings References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
EvtxECmd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
EvtxECmd Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
EvtxECmd Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
EvtxECmd Command Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
EvtxECmd Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
EvtxECmd Key Takeaways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
EvtxECmd References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
IISGeoLocate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
IISGeoLocate Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
IISGeoLocate Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
IISGeoLocate Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
IISGeoLocate References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
JLECmd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
JLECmd Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
JLECmd Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
JLECmd Command Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
JLECmd Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
JLECmd Sample Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
JLECmd Key Takeaways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
JLECmd References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
LECmd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
LECmd Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
LECmd Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
LECmd Command Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
LECmd Sample Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
LECmd Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
LECmd Key Takeaways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
LECmd References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
MFTECmd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
MFTECmd Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
File Types Parsed by MFTECmd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
MFTECmd Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
MFTECmd Command Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
MFTECmd Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
CONTENTS
MFTECmd References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
PECmd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
PECmd Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
PECmd Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
PECmd Command Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
PECmd Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
PECmd Key Takeaways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
PECmd References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
RBCmd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
RBCmd Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
RBCmd Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
RBCmd Command Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
RBCmd Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
RBCmd Key Takeaways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
RBCmd References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
RecentFileCacheParser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
RecentFileCacheParser Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
RecentFileCacheParser Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
RecentFileCacheParser Command Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
RecentFileCacheParser Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
RecentFileCacheParser References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
RECmd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
RECmd Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
RECmd Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
RECmd Command Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
RECmd Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
RECmd References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
RLA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
RLA Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
RLA Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
RLA Command Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
RLA References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
SBECmd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
SBECmd Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
SBECmd Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
SBECmd Command Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
SBECmd Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
SBECmd Key Takeaways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
CONTENTS
SBECmd References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
SQLECmd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
SQLECmd Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
SQLECmd Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
SQLECmd Command Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
SQLECmd References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
SrumECmd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
SrumECmd Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
SrumECmd Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
SrumECmd Command Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
SrumECmd Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
SrumECmd Sample Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
SrumECmd References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
SumECmd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
SumECmd Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
SumECmd Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
SumECmd Command Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
SumECmd Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
SumECmd References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
VSCMount . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
VSCMount Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
VSCMount Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
VSCMount Command Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
VSCMount References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
WxTCmd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
WxTCmd Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
WxTCmd Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
WxTCmd Command Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
WxTCmd Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
WxTCmd Key Takeaways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
WxTCmd References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
EZ Tools - GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
EZViewer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
EZViewer Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
EZViewer Screenshot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
EZViewer Key Takeaways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
EZViewer References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
CONTENTS
Hasher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Hasher Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Hasher Screenshot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Hasher Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Hasher References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
JumpList Explorer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

JumpList Explorer Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
JumpList Explorer Functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
JumpList Explorer References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
MFT Explorer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

MFT Explorer Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
MFT Explorer Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
MFT Explorer References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Registry Explorer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

Registry Explorer Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
RECmd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Version changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
SDB Explorer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290

SDB Explorer Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
SDB Explorer References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
Shellbags Explorer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293

Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
What are ShellBags? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
ShellBags location in the registry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
Using RegEdit to view ShellBag data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
Why another ShellBags program? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
ShellBagsExplorer.exe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
Menus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
Workflow overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
SBECmd.exe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
General usage tips and tricks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
Version changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
TimeApp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
TimeApp Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
TimeApp Screenshots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
TimeApp References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
Timeline Explorer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338

Timeline Explorer Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
CONTENTS
Timeline Explorer Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339

Timeline Explorer Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
Timeline Explorer Layout Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
Timeline Explorer Plugins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
Timeline Explorer References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
XWFIM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
Using XWFIM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
XWFIM References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379
Errata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
Reporting Errata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
Enabling Update Notifications on
Leanpub
Please, before you go any further in reading this book, enable update notifications for this book (and
any others) so you’re notified when this book is updated! This can be done in your Leanpub library¹.
This book is a live document and will constantly be updated as time goes on. You don’t want to miss
out!
Update Notifications
¹https://leanpub.com/user_dashboard/library
Introduction to EZ Tools
What are EZ Tools?
EZ Tools are free and open-source digital forensics tools written by Eric Zimmerman².
Download EZ Tools
Eric Zimmerman’s Tools can be downloaded here³. Run the Get-ZimmermanTools.ps1 PowerShell
script to download EZ Tools.
²https://www.sans.org/profiles/eric-zimmerman/
³https://ericzimmerman.github.io/#!index.md
Introduction to EZ Tools 3
CLI vs GUI
EZ Tools comprise of CLI (Command Line Interface) and GUI (Graphical User Interface) tools. The
CLI tools will be covered first followed by the GUI tools. Generally speaking, the CLI tools are
updated more often and are the preferable method of parsing the respective artifact the tool is
designed to parse.
.NET 4 vs .NET 6 EZ Tools

The main difference between the .NET 4 version and .NET 6 version of EZ Tools is the speed and
cross-platform compatability. To compare the speed between .NET 4 and .NET 6 versions of EZ
Tools, check out the Benchmarks⁴ on the EZ Tools site.
.NET 6 allows for EZ Tools (and any other application) to run on Linux and macOS in addition
to Windows. In order to run both the CLI and GUI tools, download the latest version of the .NET
Desktop Runtime here⁵.
What is this book?

This book serves as the official manuals for EZ Tools. This manual does not cover KAPE as KAPE
has its own manual which can be found here⁶.
This book was made on GitHub and published through Leanpub. The GitHub repository for this
book’s manuscripts is here⁷. This book is open-source and can be improved by anyone! Please suggest
improvements by submitting an Issue⁸ or propose changes by submitting a Pull Request⁹.
Mastering EZ Tools
The best way to master EZ Tools, or any tools for that matter, is to use them. Use tools against
sample images found on CFReDS¹⁰, Digital Corpora¹¹, or AboutDFIR¹². Additionally, the DFIRArti-
factMuseum¹³ will be referenced often throughout this manual as there are multiple samples of the
raw artifacts that each EZ Tool is designed to parse.
⁴https://ericzimmerman.github.io/#!benchmarks.md
⁵https://dotnet.microsoft.com/en-us/download/dotnet/6.0
⁶https://ericzimmerman.github.io/KapeDocs/#!index.md
⁷https://github.com/EZToolsManuals/EZToolsManuals
⁸https://github.com/EZToolsManuals/EZToolsManuals/issues
⁹https://github.com/EZToolsManuals/EZToolsManuals/pulls
¹⁰https://cfreds.nist.gov/
¹¹https://digitalcorpora.org/
¹²https://aboutdfir.com/resources/tool-testing/
¹³https://github.com/AndrewRathbun/DFIRArtifactMuseum
Introduction to EZ Tools 4
Content by Eric Zimmerman

• A Guide to Eric Zimmerman’s command line tools (EZ Tools)¹⁴
• Behind The Incident Eric Zimmerman¹⁵
• DFIR Summit 2016: Plumbing the Depths - Windows Registry Internals¹⁶
• Exploring Registry Explorer¹⁷
• Forensic Lunch 7/3/15 with Eric Zimmerman and more¹⁸
• Forensic Lunch 3/8/19 Eric Zimmerman, Lee Whitfield , Kape, Forensic 4Cast, Nominations¹⁹
• From Tool Building to Scalable Automation - SANS DFIR Summit 2019 Keynote²⁰
• KAPE + EZ Tools and Beyond - OSDFCon 2019 - Eric Zimmerman²¹
• Oxygen Forensics Episode 114²²
• Plumbing the Depths: ShellBags - SANS DFIR SUMMIT²³
Content by the DFIR Community about EZ Tools

• Enabling KAPE at Scale²⁴
• Fast, Scalable Results with EZ Tools and the New Command line poster²⁵
• Triage Collection and Timeline Analysis with KAPE²⁶
• Eric Zimmerman’s Results in Seconds at the Command-Line Poster²⁷
• EZ Tools/KAPE: How to Contribute to and Benefit from Open Source Contributions²⁸
• Enhancing Event Log Analysis with EvtxEcmd using KAPE²⁹
• How to Use KAPE and SQLECmd with EventTranscript.db³⁰
¹⁴https://youtu.be/GhCZfCzn2l0
¹⁵https://youtu.be/IuiIGzm7k34
¹⁶https://youtu.be/bsWLg1fWelk
¹⁷https://youtu.be/x5mUUYqnh00
¹⁸https://youtu.be/NKzczOFyykc
¹⁹https://youtu.be/Lwu1Deb6-xg
²⁰https://youtu.be/RIDNVRcDuAY
²¹https://youtu.be/ZCj7cbWwUOs
²²https://youtu.be/qbFBmAJIbIU
²³https://youtu.be/bWxbfARqBPY
²⁴https://youtu.be/YF-jDoh8BFM
²⁵https://youtu.be/yEmLuj3oDzs
²⁶https://www.youtube.com/watch?v=iYyWZSNBNcw
²⁷https://www.sans.org/posters/eric-zimmermans-results-in-seconds-at-the-command-line-poster/
²⁸https://www.youtube.com/watch?v=mIb1GQP3ciE
²⁹https://www.youtube.com/watch?v=BIkyWexMF0I
³⁰https://www.youtube.com/watch?v=DoVStoCJrog
EZ Tools - Common Switches
Common Switches
While each of the EZ Tools provide unique functionality based on the artifact they were developed
specifically to parse, most EZ Tools share common switches that will be covered here so they’re not
repeated in each EZ Tools’ respective Switches section.
-f
Use -f to point the tool to a single file to be parsed.
Examples
.\JLECmd.exe -f D:\DFIRArtifactMuseum\Windows\JumpLists\Win10\APTSimulatorVM\573770283dc3d854.automa
ms
.\LECmd.exe -f C:\temp\test.lnk
.\MFTECmd.exe -f 'C:\temp\webinar6152022\tout\C\$MFT'
-d
Use -d to point to a directory for LECmd to parse. Please note, this switch does work recursively.
Examples
.\LECmd.exe -d C:\temp
--csv
This switch will instruct LECmd to output parsed data into a CSV at the specified location.
Examples
.\LECmd.exe -d C:\temp\LNKFiles --csv C:\temp\LNKFiles\output

.\JLECmd.exe -d C:\temp\JumpLists --csv C:\temp\JumpLists\output
.\MFTECmd.exe -f 'C:\some\random\$MFT' --csv C:\temp\output
EZ Tools - Common Switches 6
--csvf
This switch will instruct LECmd to output parsed data into a CSV at the specified location and name
it using the value specified for this switch.
Examples
.\LECmd.exe -d C:\temp\LNKFiles --csv C:\temp\LNKFiles\output --csvf LNKFileOutput.csv

‘.JLECmd.exe -d C:\tempJumpLists –csv C:\tempJumpLists\output –csvf JumpListOutput.csv‘
--xml
This switch will instruct LECmd to output parsed data into XML at the specified location. Please
note, this will output an XML file for each .LNK file parsed.
Examples
.\LECmd.exe -d C:\temp\LNKFiles --xml C:\temp\LNKFiles\output
--html
This switch will instruct LECmd to output parsed data into XML at the specified location.
Examples
.\LECmd.exe -d C:\temp\LNKFiles --html C:\temp\LNKFiles\output

.\JLECmd.exe -d C:\temp\JumpLists --html C:\temp\JumpLists\output
--json
This switch will instruct LECmd to output parsed data into JSON at the specified location. Please
note, this will output a single JSON file regardless of the number of .LNK files parsed.
Examples
.\LECmd.exe -d C:\temp\LNKFiles --json C:\temp\LNKFiles\output

.\JLECmd.exe -d C:\temp\JumpLists --json C:\temp\JumpLists\output
--pretty
This switch will instruct LECmd to output parsed data into pretty printed JSON at the specified
location.
Examples
.\LECmd.exe -d C:\temp\LNKFiles --json C:\temp\LNKFiles\output --pretty

.\JLECmd.exe -d C:\temp\JumpLists --json C:\temp\JumpLists\output --pretty
--dt
This switch will instruct AmcacheParser to display timestamps in a specified format. The options for
timestamp format can be found here: https://docs.microsoft.com/en-us/dotnet/standard/base-types/
custom-date-and-time-format-strings?redirectedfrom=MSDN
--dedupe
This switch informs the tool to deduplicate results parsed from by the tool. That way, your output
won’t include multipe identical rows for the leanest output possible.
--vss
This switch informs the tool to mount Volume Shadow Copies from the drive letter specified using
the -f or -d switch and parse Prefetch files present within.
Examples
recmd
pecmd
-q
This switch hides the processing details when running a command. This means potentially faster
generated output since your computer doesn’t have to worry about generating output to the console
window during processing.
Example: RECmd.exe -d C:\Windows\system32\config --bn BatchExamples\Kroll_Batch.reb --nl
false --csv C:\temp -q
--debug
This switch will provide log messages that are helpful for debugging code. --debug can be added to
any command for more verbose messaging.
--trace
This switch will provide log messages that are helpful for tracing the execution of code. --trace can
be added to any command for more verbose messaging.
--version
This switch will display the current version of the EZ Tool binary.
--help
This switch will print the same help information as executing the EZ Tool from the command line
without any switches.
EZ Tools - PowerShell vs CMD
There are some important scenarios to consider when using PowerShell vs Command Prompt.
Common Scenarios
When using MFTECmd, using the -f switch will require you to point to a file that has a dollar sign
($) in the filename, such as $MFT, $J, etc. If you are using PowerShell when running MFTECmd, you
will need to use single backticks instead of quotation marks around your file path.
For those not familiar with PowerShell, variables are assigned using dollar signs. For instance,
‘$variable‘ can be assigned any value which can be used throughout a script without having to
retype a value repeatedly.
Here’s an example of this:
$filePath = C:\User\TestUser\Desktop\Folder\AnotherFolder\LongPath\LongerPath\filename.exe
We are assigning that very long file path to the $filePath variable. Therefore, in a script, we could
simple use $filePath every time we want to inject that file path into our script. Additionally, it
allows for us to declare the file path once in the script and the corrected file path is reflected wherever
that variable is used.
How this relates to MFTECmd’s usage is when pointing to a $MFT file, if you use quotation marks,
PowerShell will be expecting a value to have been assigned to $MFT or $J. When running a one-liner
command with MFTECmd, we are not declaring variables called $MFT or $J, rather, we’re pointing
to files that have those specific names.
Here is an example of a bad command using PowerShell:
.\MFTECmd.exe -f "C:\temp\$someMFT” --csv C:\temp
Here is an example of a correct command using PowerShell:

.\MFTECmd.exe -f 'C:\temp\$someMFT' --csv C:\temp
You will notice a difference in the colors

EZ Tools - PowerShell vs CMD 10
Only when you run the command with single backticks will you have output generated with
MFTECmd.
EZ Tools - CLI 12
EZ Tools - CLI
AmcacheParser
AmcacheParser Introduction
AmcacheParser is a tool created by Eric Zimmerman used to parse Amcache.hve files, commonly
found at C:\Windows\appcompat\Programs\Amcache.hve.
AmcacheParser Use Cases
Law Enforcement
For those in Law Enforcement, this tool is useful for parsing the Amcache.hve artifact which can
help provide insight as to which programs were installed on a computer. Additionally, the artifact
can provide hardware information which may be useful context to have for the purpose of evidence
identifcation.
Private Sector
For those in the Private Sector, this tool is useful for parsing the Amcache.hve artifact which can
help provide evidence of program execution. Unassociated entries will often be where malicious
applications can be found along with the associated SHA1 hash value which can then be leveraged
into a resource like VirusTotal to learn more about the application.
AmcacheParser 14
AmcacheParser Switches
In a PowerShell window, running .\AmcacheParser.exe will provide the following options when
running AmcacheParser:
Description:
AmcacheParser version 1.5.1.0
Author: Eric Zimmerman (saericzimmerman@gmail.com)

https://github.com/EricZimmerman/AmcacheParser
Examples: AmcacheParser.exe -f "C:\Temp\amcache\AmcacheWin10.hve" --csv C:\temp

AmcacheParser.exe -f "C:\Temp\amcache\AmcacheWin10.hve" -i on --csv C:\t\
emp --csvf foo.csv
AmcacheParser.exe -f "C:\Temp\amcache\AmcacheWin10.hve" -w "c:\temp\whit\
elist.txt" --csv C:\temp
Short options (single letter) are prefixed with a single dash. Long comm\
ands are prefixed with two dashes
Usage:
AmcacheParser [options]
Options:
-f <f> (REQUIRED) Amcache.hve file to parse
-i Include file entries for Programs entries [default: False]
-w <w> Path to file containing SHA-1 hashes to *exclude* from the\
results. Blacklisting overrides
whitelisting
-b <b> Path to file containing SHA-1 hashes to *include* from the\
results. Blacklisting overrides
whitelisting
--csv <csv> (REQUIRED) Directory to save CSV formatted results to. Be sure to inc\
lude the full path in double quotes
--csvf <csvf> File name to save CSV formatted results to. When present, \
overrides default name
--dt <dt> The custom date/time format to use when displaying time st\
amps. See https://goo.gl/CNVq0k for
options [default: yyyy-MM-dd HH:mm:ss]
--mp Display higher precision for time stamps [default: False]
--nl When true, ignore transaction log files for dirty hives. D\
efault is FALSE
AmcacheParser 15
[default: False]
--debug Show debug information during processing [default: False]
--trace Show trace information during processing [default: False]
--version Show version information
-?, -h, --help Show help and usage information
Switch Descriptions
-i
This switch will instruct AmcacheParser to include output for ProgramEntries.

Example: .\AmcacheParser.exe -f "D:\DFIRArtifactMuseum\Windows\Amcache\Win10\APTSimulatorVM\Amcache.h
--csv D:\Amcache -i
-w
This switch will instruct AmcacheParser to read a specified file containing SHA-1 hashes to exclude
from the results. This means that hashes specified in this file will NOT be included in the CSV output.
--csv D:\Amcache -w D:\Amcache\Hashes.txt
-b
This switch will instruct AmcacheParser to read a specified file containing SHA-1 hashes to include
from the results. This means that hashes specified in this file will be the ONLY results included in
the CSV output.
--csv D:\Amcache -b D:\Amcache\Hashes.txt
--mp
This switch will instruct AmcacheParser to provide more verbose timestamps. For instance, running
.\AmcacheParser.exe -f "D:\Amcache\Amcache.hve" --csv D:\Amcache resulted in the following:
File Key Last Write Timestamp

2022-03-20 21:24:56.000000
Running .\AmcacheParser.exe -f "D:\DFIRArtifactMuseum\Windows\Amcache\Win10\APTSimulatorVM\Amcache.hv

--csv D:\Amcache --mp resulted in the following:
AmcacheParser 16
File Key Last Write Timestamp

2022-03-20 21:24:56.028214
--nl
This switch will instruct AmcacheParser to ignore transaction logs (*.LOG files)
--csv D:\Amcache --nl
AmcacheParser 17
AmcacheParser Command Examples
Example AmcacheParser Commands
Parse an Amcache.hve File and Output to CSV
AmcacheParser.exe -f "C:\Temp\amcache\AmcacheWin10.hve" --csv C:\temp
Parse an Amcache.hve file and Output to CSV (specified filename) with

ProgramEntries
AmcacheParser.exe -f "C:\Temp\amcache\AmcacheWin10.hve" -i on --csv C:\temp --csvf f\

oo.csv
Parse an Amcache.hve file and Output to CSV While Only Including Results
That Match Specified Hashes
AmcacheParser.exe -f "C:\Temp\amcache\AmcacheWin10.hve" -w "c:\temp\whitelist.txt" -\

-csv C:\temp
AmcacheParser Output
Analyzing AmcacheParser Output - CSV

--csv is required, so there’s no console output with AmcacheParser
AmcacheParser will produce the following CSVs:

%timestamp%_Amcache_AssociatedFileEntries.csv
%timestamp%_Amcache_DeviceContainers.csv
%timestamp%_Amcache_DevicePnps.csv
%timestamp%_Amcache_DriveBinaries.csv
%timestamp%_Amcache_DriverPackages.csv
%timestamp%_Amcache_ProgramEntries.csv
%timestamp%_Amcache_ShortCuts.csv
%timestamp%_Amcache_UnassociatedFileEntries.csv
%timestamp% will look something similar to this: 20220904032628

AmcacheParser 18
AmcacheParser Key Takeaways
Important Data Points

The Amcache.hve will provide SHA1 hash values for binaries. This can be helpful in Incident
Response engagements where you can leverage the SHA1 hash value for something like VirusTotal to
learn more about a potentially malicious binary. Please note that often malicious binaries introduced
by threat actors will be found in the UnassociatedEntries CSV. These will be programs that don’t
have program entries within the Amcache. This is an easy way to find malware because malware
doesn’t come with an installer! Additionally, the File Key ID Last Write Timestamp can be a reliable
indicator of evidence of execution.
If you want to analyze the Amcache.hve artifact in a GUI tool, you can simply ingest it into Registry
Explorer similar to other common Registry hives.
AmcacheParser 19
AmcacheParser References
Associated GitHub Repositories

• https://github.com/EricZimmerman/AmcacheParser is the AmcacheParser repo
Blog Posts
Official Blog Posts
Blog posts from Eric Zimmerman’s blog, Binary Foray:
• Locked file support added to AmcacheParser, AppCompatCacheParser, MFTECmd, ShellBags

Explorer (and SBECmd), and Registry Explorer (and RECmd)³¹
• Everything gets an update, Sept 2018 edition³²
• Updates to the left of me, updates to the right of me, version 1 releases are here (for the most
part)³³
• (Am)cache still rules everything around me (part 2 of 1)³⁴
Download AmcacheParser
AmcacheParser can be downloaded from https://ericzimmerman.github.io/#!index.md
Amcache Sample Data

Sample Amcache.hve artifacts can be found at the DFIRArtifactMuseum³⁵.
³¹https://binaryforay.blogspot.com/2019/01/locked-file-support-added-to.html
³²https://binaryforay.blogspot.com/2018/09/everything-gets-update-sept-2018-edition.html
³³https://binaryforay.blogspot.com/2018/03/updates-to-left-of-me-updates-to-right.html
³⁴https://binaryforay.blogspot.com/2017/10/amcache-still-rules-everything-around.html
³⁵https://github.com/AndrewRathbun/DFIRArtifactMuseum/tree/main/Windows/Amcache
AppCompatCacheParser
AppCompatCacheParser Introduction
AppCompatCacheParser is a tool created by Eric Zimmerman used to parse the AppCompatCache,
commonly referred to as the ShimCache, which can be found in the SYSTEM hive.
AppCompatCacheParser Use Cases
Law Enforcement
For those in Law Enforcement, this tool is useful for providing evidence of file knowledge. Artifacts
seen in the AppCompatCache, depending on the version of Windows, may provide indicators of an
executable existing on the file system at a given point in time.
Private Sector
For those in the Private Sector, this tool is useful for providing evidence of file knowledge. Artifacts
seen in the AppCompatCache, depending on the version of Windows, may provide indicators of
an executable existing on the file system at a given point in time. Additionally, previous versions
of Windows had indicators of program execution but more reliably that same information can be
found in Prefetch, UserAssist, etc.
AppCompatCacheParser 21
AppCompatCacheParser Switches
In a PowerShell window, running .\AppCompatCacheParser.exe will provide the following options
when running AppCompatCacheParser:
Description:
AppCompatCache Parser version 1.5.0.0

https://github.com/EricZimmerman/AppCompatCacheParser
Examples: AppCompatCacheParser.exe --csv c:\temp -t -c 2

AppCompatCacheParser.exe --csv c:\temp --csvf results.csv
ands are
prefixed with two dashes
Usage:
AppCompatCacheParser [options]
Options:
-f <f> Full path to SYSTEM hive to process. If this option is not
specified, the live Registry will be used
lude the
full path in double quotes
--csvf <csvf> File name to save CSV formatted results to. When present, \
overrides
default name
--c <c> The ControlSet to parse. Default is to extract all control\
sets
[default: -1]
-t Sorts last modified timestamps in descending order [defaul\
t: False]
amps. See
https://goo.gl/CNVq0k for options [default: yyyy-MM-dd HH:\
mm:ss]
--nl When true, ignore transaction log files for dirty hives [d\
efault:
False]
Switch Descriptions
-c
This switch informs the tool to parse a specific ControlSet. The default is to parse all ControlSets
specified within the Registry.
Example: .\AppCompatCacheParser.exe -f "C:\temp\System" --csv C:\temp\appcompatcachetest
--c 1
The above command will display the following message in the console window:
1 Found 1,024 cache entries for Windows10Creators in ControlSet001

2
3 Results saved to 'C:\temp\appcompatcachetest\20220805212738_Windows10Creators_System\
4 _ControlSet001_AppCompatCache.csv'
-t
This switch will inform the tool to sort the last modified timestamps in descending order.
Example: .\AppCompatCacheParser.exe -f "D:\temp\SYSTEM" --nl false --csv "D:\temp" -t
-nl
This switch will inform the tool whether to replay transaction logs or not.
Below is an exmaple of replaying transaction logs:
Example: .\AppCompatCacheParser.exe -f "D:\temp\SYSTEM" --nl false --csv "D:\temp"
When processing transaction logs, you will see a message similar to this:
1 Two transaction logs found. Determining primary log...

2 Primary log: D:\temp\SYSTEM.LOG2, secondary log: D:\temp\SYSTEM.LOG1
3 Replaying log file: D:\temp\SYSTEM.LOG2
4 Replaying log file: D:\temp\SYSTEM.LOG1
5 At least one transaction log was applied. Sequence numbers have been updated to 0x91\
6 DD. New Checksum: 0xAD729723
Below is an example of ignoring transaction logs:

Example: .\AppCompatCacheParser.exe -f "D:\temp\SYSTEM" --nl true --csv "D:\temp"
When ignoring transaction logs, you will see a message similar to this:
1 Registry hive is dirty and transaction logs were found in the same directory, but --\
2 nl was provided. Data may be missing! Continuing anyways...
3 Sequence numbers do not match! Hive is dirty and the transaction logs should be revi\
4 ewed for relevant data!
AppCompatCacheParser Command Examples
Example AppCompatCacheParser Commands

Parse the AppCompatCache from the SYSTEM Registry hive and output to a
specified location while only parsing ControlSet2
AppCompatCacheParser.exe --csv c:\temp -c 2
Parse the AppCompatCache from the SYSTEM Registry hive and output to a
specified location while outputting a CSV named results.csv
AppCompatCacheParser.exe --csv c:\temp --csvf results.csv
AppCompatCacheParser Output
Analyzing AppCompatCacheParser Output - CSV

AppCompatCacheParser will output a filename similar to these:
%timestamp%_XXXXXX_SYSTEM_AppCompatCache.csv
According to AppCompatCacheParser’s code³⁶, the following versions can replace the XXXXXX:
WindowsXP,
WindowsVistaWin2k3Win2k8,
Windows7x86,
Windows7x64_Windows2008R2,
Windows80_Windows2012,
Windows81_Windows2012R2,
Windows10,
Windows10Creators,
Unknown
³⁶https://github.com/EricZimmerman/AppCompatCacheParser/blob/95d4e1e084fdf8289175fdb47a15747753ec8e77/AppCompatCache/
AppCompatCache.cs#L56
AppCompatCacheParser Key Takeaways

The Last Modified timestamp will not be the last time of execution, rather, it’ll be the last modified
timestamp of the file itself. In some instances, this timestamp could be similar to a file’s execution as
seen elsewhere in UserAssist, Prefetch, etc. In that scenario, consider the file may have been copied
from elsewhere and then executed immediately upon the file copy operation’s completion. With
the file being copied, the last modified timestamp will reflect the time of the file copy operation’s
completion, which being immediately followed by executing the file could make the last modified
timestamp found in the AppCompatCache seem like a reliable timestamp, in some cases. Ideally,
rely on other artifacts for more reliable evidence of execution timestamps.
AppCompatCacheParser References

• https://github.com/EricZimmerman/JumpList is the C# library for parsing JumpList files
• https://github.com/EricZimmerman/OleCf is the C# library for parsing OLE compound files,
which Jump Lists are
• https://github.com/EricZimmerman/JLECmd is the Command Line wrapper for the JumpList
library
Blog Posts
Official Blog Posts
• Introducing AppCompatCacheParser³⁷
• AppCompatCacheParser v0.0.5.1 released³⁸
• AppCompatCacheParser v0.0.5.2 released³⁹
• AppCompatCacheParser v0.9.0.0 released and some AppCompatCache/shimcache parser test-
ing⁴⁰
• Windows 10 Creators update vs shimcache parsers: Fight!!⁴¹
part)⁴²
• Everything gets an update, Sept 2018 edition⁴³
Explorer (and SBECmd), and Registry Explorer (and RECmd)⁴⁴
Community Resources
• 13Cubed - Windows Application Compatibility Forensics⁴⁵

• 13Cubed - Let’s Talk About Shimcache - The Most Misunderstood Artifact⁴⁶
³⁷https://binaryforay.blogspot.com/2015/05/introducing-appcompatcacheparser.html
³⁸https://binaryforay.blogspot.com/2015/05/appcompatcacheparser-v0051-released.html
³⁹https://binaryforay.blogspot.com/2015/05/appcompatcacheparser-v0052-released.html
⁴⁰https://binaryforay.blogspot.com/2016/05/appcompatcacheparser-v0900-released-and.html
⁴¹https://binaryforay.blogspot.com/2017/03/windows-10-creators-update-vs-shimcache.html
⁴²https://binaryforay.blogspot.com/2018/03/updates-to-left-of-me-updates-to-right.html
⁴³https://binaryforay.blogspot.com/2018/09/everything-gets-update-sept-2018-edition.html
⁴⁴https://binaryforay.blogspot.com/2019/01/locked-file-support-added-to.html
⁴⁵https://youtu.be/ZKlyu-HOvxY
⁴⁶https://youtu.be/7byz1dR_CLg
Download AppCompatCacheParser
AppCompatCacheParser can be downloaded from https://ericzimmerman.github.io/#!index.md
AppCompatCache Sample Data

Sample data for the AppCompatCache can be found in the DFIRArtifactMuseum here⁴⁷.
⁴⁷https://github.com/AndrewRathbun/DFIRArtifactMuseum/tree/main/Windows/AppCompatCache
bstrings
bstrings Introduction
bstrings is a tool created by Eric Zimmerman used to search files for strings. This can be accom-
plished by using user-specified search strings or regular expressions or built-in regular expressions.
bstrings Use Cases
Law Enforcement
For those in Law Enforcement, this tool is useful for searching through files for keywords or regular
expressions of interest, including but not limited to: credit cards, Social Security numbers, phone
numbers, email addresses, cryptocurrency wallets, and many more.
Private Sector
For those in the Private Sector, this tool is useful for searching through files for keywords or regular
expressions of interest, including but not limited to: IPv4 addresses, IPv6 addresses, SID numbers,
cryptocurrency wallets, and many more.
bstrings 29
bstrings Switches
In a PowerShell window, running .\bstrings.exe will provide the following options when running
JLECmd:
Description:
bstrings version 1.5.2.0

https://github.com/EricZimmerman/bstrings
Examples: bstrings.exe -f "C:\Temp\UsrClass 1.dat" --ls URL

bstrings.exe -f "C:\Temp\someFile.txt" --lr guid
bstrings.exe -f "C:\Temp\aBigFile.bin" --fs c:\temp\searchStrings.txt --\
fr
c:\temp\searchRegex.txt -s
bstrings.exe -d "C:\Temp" --mask "*.dll"
bstrings.exe -d "C:\Temp" --ar "[\x20-\x37]"
bstrings.exe -d "C:\Temp" --cp 10007
bstrings.exe -d "C:\Temp" --ls test
bstrings.exe -f "C:\Temp\someOtherFile.txt" --lr cc --sa
bstrings.exe -f "C:\Temp\someOtherFile.txt" --lr cc --sa -m 15 -x 22
bstrings.exe -f "C:\Temp\UsrClass 1.dat" --ls mui --sl
Usage:
bstrings [options]
Options:
-f <f> File to search. Either this or -d is required
-d <d> Directory to recursively process. Either this or -f is required
-o <o> File to save results to
-a If set, look for ASCII strings. Use -a false to disable [default: \
True]
-u If set, look for Unicode strings. Use -u false to disable [default\
: True]
-m <m> Minimum string length [default: 3]
-b <b> Chunk size in MB. Valid range is 1 to 1024. Default is 512 [defaul\
t: 512]
-q Quiet mode (Do not show header or total number of hits) [default: \
False]
-s Really Quiet mode (Do not display hits to console. Speeds up proce\
ssing when
bstrings 30
using -o) [default: False]

-x <x> Maximum string length. Default is unlimited [default: -1]
-p Display list of built in regular expressions [default: False]
--ls <ls> String to look for. When set, only matching strings are returned
--lr <lr> Regex to look for. When set, only strings matching the regex are r\
eturned
--fs <fs> File containing strings to look for. When set, only matching strin\
gs are returned
--fr <fr> Directory to save bodyfile formatted results to. --bdl is also req\
uired when
using this option
--ar <ar> Range of characters to search for in 'Code page' strings. Specify \
as a range of
characters in hex format and enclose in quotes. Default is [\x20 -\
\x7E]
[default: [ -~]]
--ur <ur> Range of characters to search for in 'Code page' strings. Specify \
as a range of
characters in hex format and enclose in quotes. Default is [\x20 -\
\x7E]
[default: [ -~]]
--cp <cp> Code page to use. Default is 1252. Use the Identifier value for co\
de pages at
https://goo.gl/ig6DxW [default: 1252]
--mask <mask> When using -d, file mask to search for. * and ? are supported. Thi\
s option has
no effect when using -f
--ms <ms> When using -d, maximum file size to process. This option has no ef\
fect when
using -f [default: -1]
--ro When true, list the string matched by regex pattern vs string the \
pattern was
found in (This may result in duplicate strings in output. ~ denote\
s approx.
offset) [default: False]
--off Show offset to hit after string, followed by the encoding (A=1252,\
U=Unicode)
[default: False]
--sa Sort results alphabetically [default: False]
--sl Sort results by length [default: False]
bstrings 31
Either -f or -d is required. Exiting

bstrings 32
Switch Descriptions
-o
This switch informs the tool to save the results of a search to a specified location.
Example: .\bstrings.exe -d "D:\DFIRArtifactMuseum\Windows" --ls powershell -o
"D:\DFIRArtifactMuseum\Windows\results.txt"
Please note that if you run multiple searches with the -o switch, which outputs to a file with a
specified filename, subsequent searches after the initial search will append the results to that output
file with each search if the output filename is the same for each search.
-a
This switch informs the tool to look for ASCII⁴⁸ strings. Default is true, so if you want to disable it,
use -a false.
"D:\DFIRArtifactMuseum\Windows\results.txt" -a false
“-u
This switch informs the tool to look for Unicode⁴⁹ strings. Default is true, so if you want to disable
it, use -u false.
"D:\DFIRArtifactMuseum\Windows\results.txt" -u false
-m
This switch informs the tool to look for strings that are a minimum length of the specified value.
"D:\DFIRArtifactMuseum\Windows\results.txt" -m 12
-b
This switch informs the tool to search a specified chunk size. The default is 512 but the valid range
is 1 to 1024.
Example: .\bstrings.exe -d "D:\DFIRArtifactMuseum\Windows\Pagefile\" --ls powershell -o
"D:\DFIRArtifactMuseum\Windows\results.txt" -b 10
Running the above command will result in console messages similar to the below:
⁴⁸https://en.wikipedia.org/wiki/ASCII
⁴⁹https://en.wikipedia.org/wiki/Unicode
bstrings 33
1 Searching 3 chunks (10 MB each) across 22.034 MB in 'D:\DFIRArtifactMuseum\Windows\P\

2 agefile\Win10\APTSiimulatorVM\pagefile.7z'
3
4 Chunk 1 of 3 finished. Total strings so far: 311,770 Elapsed time: 0.252 seconds. Av\
5 erage strings/sec: 1,239,057
7 erage strings/sec: 894,890
9 erage strings/sec: 875,745
10 Primary search complete. Looking for strings across chunk boundaries...
11 Search complete.
Change the value to 1 would result in the following messages:
1 Searching 23 chunks (1 MB each) across 22.034 MB in 'D:\DFIRArtifactMuseum\Windows\P\

2 agefile\Win10\APTSiimulatorVM\pagefile.7z'
3
10 Chunk 4 of 23 finished. Total strings so far: 130,789 Elapsed time: 0.111 seconds. A\
11 verage strings/sec: 1,178,745
15 verage strings/sec: 933,171
22 Chunk 10 of 23 finished. Total strings so far: 311,770 Elapsed time: 0.312 seconds. \
23 Average strings/sec: 998,170
bstrings 34
50 Primary search complete. Looking for strings across chunk boundaries...
51 Search complete.
-q
This switch informs the tool to run in quiet mode, where the header and footer won’t display as
results are being displayed in the console window.
"D:\DFIRArtifactMuseum\Windows\results.txt" -a false -q
-x
This switch informs the tool to search for strings with a maximum length of a specified value.
"D:\DFIRArtifactMuseum\Windows\results.txt" -x 15
-p
This switch informs the tool to display the list of regular expressions built in to the tool.
Example: .\bstrings.exe -p
This command will display the following information:
bstrings 35
1 Name Description
2 aeon Finds Aeon wallet addresses
3 b64 Finds valid formatted base 64 strings
4 bitcoin Finds BitCoin wallet addresses
5 bitlocker Finds Bitlocker recovery keys
6 bytecoin Finds ByteCoin wallet addresses
7 cc Finds credit card numbers
8 dashcoin Finds DashCoin wallet addresses (D*)
9 dashcoin2 Finds DashCoin wallet addresses (7|X)*
10 email Finds embedded email addresses
11 fantomcoin Finds Fantomcoin wallet addresses
12 guid Finds GUIDs
13 ipv4 Finds IP version 4 addresses
14 ipv6 Finds IP version 6 addresses
15 mac Finds MAC addresses
16 monero Finds Monero wallet addresses
17 reg_path Finds paths related to Registry hives
18 sid Finds Microsoft Security Identifiers (SID)
19 ssn Finds US Social Security Numbers
20 sumokoin Finds SumoKoin wallet addresses
21 unc Finds UNC paths
22 url3986 Finds URLs according to RFC 3986
23 urlUser Finds usernames in URLs
24 usPhone Finds US phone numbers
25 var_set Finds environment variables being set (OS=Windows_NT)
26 win_path Finds Windows style paths (C:\folder1\folder2\file.txt)
27 xml Finds XML/HTML tags
28 zip Finds zip codes
29
30 To use a built in pattern, supply the Name to the --lr switch
--ls
This switch informs the tool to search for a specified string.

Example: .\bstrings.exe -d "D:\DFIRArtifactMuseum\Windows" --ls powershell
--lr
This switch informs the tool to search for a specified built-in regular expression.
Example: .\bstrings.exe -d "D:\DFIRArtifactMuseum\Windows" --lr ipv4
bstrings 36
--fs
This switch informs the tool to use a specified list of search terms within a specified file.
Example: .\bstrings.exe -d "D:\DFIRArtifactMuseum\Windows" --fs C:\temp\searchterms.txt
--ar
This switch informs the tool to search using a specified range to search for in “code page” strings.
Example: .\bstrings.exe -d "D:\DFIRArtifactMuseum\Windows" --lr ipv4 --fr
C:\temp\results.txt --ar [\x20-\x37] -q
--ur
This switch informs the tool to search using a specified range to search for in Unicode strings.
C:\temp\results.txt --ur [\u0020-\u007E] -q
--cp
This switch informs the tool to use a specified code page. The default is 1252. Check out this link⁵⁰
for information on other code pages available.
C:\temp\results.txt --ur [\u0020-\u007E] -q --cp 1256
--mask
This switch informs the tool to search a specified file mask. For instance, to search through all .exe
files, one would specify --mask *.exe.
C:\temp\results.txt --mask *.txt
The above command would search through all .txt files using the IPv4 regular expression as a search
term.
--ms
This switch informs the tool of the maximum size file (in bytes) to process when using the -d switch.
C:\temp\results.txt --mask *.txt --ms 10
The above command will provide messages similar to the following:

⁵⁰https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers?redirectedfrom=MSDN
bstrings 37
1 'D:\DFIRArtifactMuseum\Windows\AppCompatCache\ReadMe.txt' is bigger than max file si\

2 ze of 10 bytes! Skipping...
3 Searching via RegEx pattern: \b(?:(?:25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\.)\
4 {3}(?:25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\b
--ro
This switch informs the tool to list the string matched as the search is running.
Example: .\bstrings.exe -d "D:\DFIRArtifactMuseum\Windows" --lr ipv4 -o
C:\temp\results.txt --ro -q
Try the above command with and without the --ro and see the difference. --ro will list each IPv4
address hit and running the command without --ro will list the files where hits are being located.
--off
This switch informs the tool to show the offset of the hit and code page for each hit.
C:\temp\results.txt --off -q
The above command’s first hit will be similar to the following:

C:\Program Files (x86)\Common Files\Microsoft Shared\VsHub\1.0.0.0\Microsoft.VsHub.Server.HttpHostx64
0x5D82 (U)
--sa
This switch informs the tool to sort the results alphabetically.

C:\temp\results.txt --sa -q
“–sl
This switch informs the tool to sort the results by length.

C:\temp\results.txt --sl -q
bstrings 38
bstrings Command Examples
Example bstrings Commands
Search a specified file for the string URL
bstrings.exe -f "C:\Temp\UsrClass 1.dat" --ls URL
Search a specified file for the GUID regular expression
bstrings.exe -f "C:\Temp\someFile.txt" --lr guid
Search a specified file using a file with specified search strings and a file with
specified regular expressions
bstrings.exe -f "C:\Temp\aBigFile.bin" --fs c:\temp\searchStrings.txt --fr c:\temp\s\

earchRegex.txt
Search a specified directory for all files with the .dll file extension
bstrings.exe -d "C:\Temp" --mask "*.dll"
Search a specified directory for a range of specified characters within a code

page
bstrings.exe -d "C:\Temp" --ar "[\x20-\x37]"
Search a specified directory using the Cyrillic (Mac) code page
bstrings.exe -d "C:\Temp" --cp 10007
Search a specified directory for the string test
bstrings.exe -d "C:\Temp" --ls test
Search a specified file for credit cards using regular expressions and sort the
results alphabetically
bstrings.exe -f "C:\Temp\someOtherFile.txt" --lr cc --sa
Search a specified file using the credit card regular expression, sorting the
results alphabetically, with a minimum string length of 15, and a maximum
string length of 22
bstrings 39
bstrings.exe -f "C:\Temp\someOtherFile.txt" --lr cc --sa -m 15 -x 22
Search a specified file for the string mui and sort the results by length
bstrings.exe -f "C:\Temp\UsrClass 1.dat" --ls mui --sl

bstrings 40
bstrings References

• https://github.com/EricZimmerman/bstrings is the GitHub repository for bstrings
Blog Posts
Official Blog Posts
• Introducing bstrings, a Better Strings utility!⁵¹

• bstrings 0.9.0.0 released⁵²
• bstrings 0.9.5.0 released⁵³
• A few updates⁵⁴
• bstrings 0.9.7.0 released⁵⁵
• bstrings 0.9.8.0 released⁵⁶
• bstrings 0.9.9.0 released!⁵⁷
• bstrings 1.0 released!⁵⁸
• bstrings v1.1 released!⁵⁹
Community Resources
• Data Recovery Blog 2⁶⁰
Download bstrings
bstrings can be downloaded from https://ericzimmerman.github.io/#!index.md
⁵¹https://binaryforay.blogspot.com/2015/07/introducing-bstrings-better-strings.html
⁵²https://binaryforay.blogspot.com/2015/07/bstrings-0900-released.html
⁵³https://binaryforay.blogspot.com/2015/07/bstrings-0950-released.html
⁵⁴https://binaryforay.blogspot.com/2015/08/a-few-updates.html
⁵⁵https://binaryforay.blogspot.com/2015/11/bstrings-0970-released.html
⁵⁶https://binaryforay.blogspot.com/2015/12/bstrings-0980-released.html
⁵⁷https://binaryforay.blogspot.com/2016/02/bstrings-0990-released.html
⁵⁸https://binaryforay.blogspot.com/2016/02/bstrings-10-released.html
⁵⁹https://binaryforay.blogspot.com/2016/04/bstrings-v11-released.html
⁶⁰https://leahycenterblog.champlain.edu/2020/05/01/data-recovery-blog-2-2/
EvtxECmd
EvtxECmd Introduction
EvtxECmd is a tool created by Eric Zimmerman used to parse event logs from Windows. Versions of
Windows from Vista and beyond have utilized the .evtx format, which incorporates XML payloads
within the .evtx files. EvtxECmd only parses .evtx files, so if you’re dealing with .evt files, EvtxECmd
will not parse those particular files.
EvtxECmd Use Cases
Law Enforcement
For those in Law Enforcement, this tool is useful for parsing event logs which can provide useful
program execution artifacts, NTFS file system artifacts, evidence of USB device connections, and
much more.
Private Sector
For those in the Private Sector, this tool is useful for parsing event logs which can provide useful
artifacts relating to RDP sessions, account lockouts, failed logons, and much more.
EvtxECmd 42
EvtxECmd Maps
https://github.com/EricZimmerman/evtx/tree/master/evtx/Maps
Creating EvtxECmd Maps
If you are looking for guidance on how to create EvtxECmd Maps, look no further than the following
resources:
• EvtxECmd Maps Guide⁶¹

• EvtxECmd Maps Template⁶²
Additionally, please check out Andrew Rathbun’s 2021 SANS DFIR Summit presentation on EZ
Tools/KAPE: How to Contribute to and Benefit from Open Source Contributions. Click here⁶³ for a
timestamped link to the section of the presentation that relates to EvtxECmd Maps.
EvtxECmd Switches
In a PowerShell window, running .\EvtxECmd.exe will provide the following options when running
EvtxECmd:
Description:
EvtxECmd version 1.0.0.0

https://github.com/EricZimmerman/evtx
Examples: EvtxECmd.exe -f "C:\Temp\Application.evtx" --csv "c:\temp\out" --csvf My\

OutputFile.csv
EvtxECmd.exe -f "C:\Temp\Application.evtx" --csv "c:\temp\out"
EvtxECmd.exe -f "C:\Temp\Application.evtx" --json "c:\temp\jsonout"
Usage:
EvtxECmd [options]
⁶¹https://github.com/EricZimmerman/evtx/blob/master/evtx/Maps/!Channel-Name_Provider-Name_EventID.guide
⁶²https://github.com/EricZimmerman/evtx/blob/master/evtx/Maps/!Channel-Name_Provider-Name_EventID.template
⁶³https://youtu.be/mIb1GQP3ciE?t=860
EvtxECmd 43
Options:
-f <f> File to process. This or -d is required
-d <d> Directory to process that contains evtx files. This or -f is requ\
ired
--csv <csv> Directory to save CSV formatted results to
--csvf <csvf> File name to save CSV formatted results to. When present, overrid\
es default name
--json <json> Directory to save JSON formatted results to
--jsonf <jsonf> File name to save JSON formatted results to. When present, overri\
des default name
--xml <xml> Directory to save XML formatted results to
--xmlf <xmlf> File name to save XML formatted results to. When present, overrid\
es default name
--dt <dt> The custom date/time format to use when displaying time stamps [d\
efault: yyyy-MM-dd HH:mm:ss.fffffff]
--inc <inc> List of Event IDs to process. All others are ignored. Overrides -\
-exc Format is 4624,4625,5410
--exc <exc> List of Event IDs to IGNORE. All others are included. Format is 4\
624,4625,5410
--sd <sd> Start date for including events (UTC). Anything OLDER than this i\
s dropped. Format should match --dt
--ed <ed> End date for including events (UTC). Anything NEWER than this is \
dropped. Format should match --dt
--fj When true, export all available data when using --json [default: \
False]
--tdt <tdt> The number of seconds to use for time discrepancy detection [defa\
ult: 1]
--met When true, show metrics about processed event log [default: True]
--maps <maps> The path where event maps are located. Defaults to 'Maps' folder \
where program was executed
[default: C:\Users\CFUser\OneDrive - Kroll\Desktop\EZ Tools\net6\\
EvtxeCmd\Maps]
--vss Process all Volume Shadow Copies that exist on drive specified by\
-f or -d [default: False]
--dedupe Deduplicate -f or -d & VSCs based on SHA-1. First file found wins\
[default: True]
--sync If true, the latest maps from https://github.com/EricZimmerman/ev\
tx/tree/master/evtx/Maps are
downloaded and local maps updated [default: False]
EvtxECmd 44
-f or -d is required. Exiting
EvtxECmd 45
Switch Descriptions
--inc
This switch will provide EvtxECmd with which event ID(s) to process.
Example: .\EvtxECmd.exe -d C:\Windows\System32\winevt\Logs --inc 4624,4625
The above command WILL process 4624 and 4625 events, but will NOT process anything else.
--exc
This switch will provide EvtxECmd with which event ID(s) to ignore during process.
Example: .\EvtxECmd.exe -d C:\Windows\System32\winevt\Logs --exc 4624,4625
The above command will NOT process 4624 and 4625 events, but will process everything other event.
--sd
This switch will provide a starting date for which EvtxECmd will process all events that have
occurred AFTER that date.
Example: .\EvtxECmd.exe -f "C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Security.evt
--csv D:\ --sd "2022-07-29 00:00:00.0000000"
Not using quotes around the timestamp may cause issues.
--ed
This switch will provide a starting date for which EvtxECmd will process all events that have
occurred BEFORE that date.
Example: .\EvtxECmd.exe -f "C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Security.evt
--csv D:\ --ed "2022-07-27 00:00:00.0000000"
Not using quotes around the timestamp may cause issues.
--fj
This switch will include full details when using the common --json switch.
Example: .\EvtxECmd.exe -d "C:\Users\CFUser\Downloads\EventLogs\logs" --json
"C:\Users\CFUser\Downloads\EventLogs\logs\json" --fj
--tdt
This switch informs the tool with the number of seconds to look for when searching for time
discrepancy detection.
Example: EvtxECmd.exe -f "C:\Temp\Application.evtx" --csv "c:\temp\out" --tdt 5
EvtxECmd 46
--met
This switch informs the tool as to whether or not to provide statistics, with the default being true.
Example: EvtxECmd.exe -f "C:\Temp\Application.evtx" --csv "c:\temp\out" --met false
With --met false, the following statistics will NOT be displayed after each .evtx file that is parsed
by EvtxECmd:
1 Metrics (including dropped events)

2 Event ID Count
3 300 1
4 400 666
5 403 404
6 600 4,939
7 800 197
By default, the above statistics will be displayed after each .evtx file is parsed by EvtxECmd.
‘–maps‘
This switch will inform the tool to look for EvtxECmd Maps at a specified location other than
.\EvtxECmd\Maps.
Example: .\EvtxECmd.exe -d "D:\evtx" --csv "D:\evtx" --maps "D:\Maps"
--vss
Example: .\EvtxECmd.exe -d "D:\evtx" --csv "D:\evtx" --vss
‘–sync‘
This switch will inform the tool to download all EvtxECmd Maps from GitHub⁶⁴ and update the
local Maps stored in .\EvtxECmd\Maps.
Example: .\EvtxECmd.exe --sync
⁶⁴https://github.com/EricZimmerman/evtx/tree/master/evtx/Maps
EvtxECmd 47
EvtxECmd Command Examples
Example EvtxECmd Commands

Parse a single .evtx file and output to CSV to a specified location with a
specified output filename
EvtxECmd.exe -f "C:\Temp\Application.evtx" --csv "c:\temp\out" --csvf MyOutputFile.c\

sv
Parse a single .evtx file and output to CSV to a specified location
EvtxECmd.exe -f "C:\Temp\Application.evtx" --csv "c:\temp\out"
Parse a single .evtx file and output to JSON to a specified location
EvtxECmd.exe -f "C:\Temp\Application.evtx" --json "c:\temp\jsonout"

EvtxECmd 48
EvtxECmd Output
Analyzing EvtxECmd Output - JSON

When executing EvtxECmd with JSON output enabled, you will see similar output to the example
below:
1 {
2 "ChunkNumber": 0,
3 "Computer": "HostnameGoesHere",
4 "Payload": "{\"EventData\":{\"Data\":[{\"@Name\":\"param1\",\"#text\":\"86400\"},{\\
5 "@Name\":\"param2\",\"#text\":\"SuppressDuplicateDuration\"},{\"@Name\":\"param3\",\\
6 "#text\":\"Software\\\\Microsoft\\\\EventSystem\\\\EventLog\"}]}}",
7 "Channel": "Application",
8 "Provider": "Microsoft-Windows-EventSystem",
9 "EventId": 4625,
10 "EventRecordId": "1",
11 "ProcessId": 0,
12 "ThreadId": 0,
13 "Level": "Info",
14 "Keywords": "0x80000000000000",
15 "SourceFile": "C:\\temp\\evtx\\Application.evtx",
16 "ExtraDataOffset": 0,
17 "HiddenRecord": false,
18 "TimeCreated": "2022-05-19T15:34:34.9710202+00:00",
19 "RecordNumber": 1
20 },
EvtxECmd 49
Analyzing EvtxECmd Output - XML

When executing EvtxECmd with XML output enabled, you will see similar output to the example
below:
1 <Event>
2 <System>
3 <Provider Name="Microsoft-Windows-EventSystem" Guid="{899daace-4868-4295-afcd-9eb8\
4 fb497561}" EventSourceName="EventSystem" />
5 <EventID Qualifiers="16384">4625</EventID>
6 <Version>0</Version>
7 <Level>4</Level>
8 <Task>0</Task>
9 <Opcode>0</Opcode>
10 <Keywords>0x80000000000000</Keywords>
11 <TimeCreated SystemTime="2022-05-19 15:34:34.9710202" />
12 <EventRecordID>1</EventRecordID>
13 <Correlation />
14 <Execution ProcessID="0" ThreadID="0" />
15 <Channel>Application</Channel>
16 <Computer>CFL-HostnameGoesHere</Computer>
17 <Security />
18 </System>
19 <EventData>
20 <Data Name="param1">86400</Data>
21 <Data Name="param2">SuppressDuplicateDuration</Data>
22 <Data Name="param3">Software\Microsoft\EventSystem\EventLog</Data>
23 </EventData>
24 </Event>
This is the preferred way to do research for creating new EvtxECmd Maps. EvtxECmd Maps use
XPath queries which would require XML output to develop a working XPath query.
EvtxECmd 50
EvtxECmd Key Takeaways

The Payload column will always have all the of XML data stored within a given event log. The
columns where data from the XML Payload are mapped to should be considered the highlights of
that particular event, but given that there are only 6 PayloadData columns, some events naturally
will have more than 6 relevant data points.
EvtxECmd 51
EvtxECmd References

• https://github.com/EricZimmerman/evtx is the GitHub repository for EvtxECmd
Blog Posts
Official Blog Posts
• Introducing EvtxECmd!!⁶⁵
Community Resources
• Enhancing Event Log Analysis with EvtxEcmd using KAPE⁶⁶
Download EvtxECmd
EvtxECmd can be downloaded from https://ericzimmerman.github.io/#!index.md
Event Log Sample Data

Sample Event Log artifacts can be found at the DFIRArtifactMuseum⁶⁷.
⁶⁵https://binaryforay.blogspot.com/2019/04/introducing-evtxecmd.html
⁶⁶https://www.youtube.com/watch?v=BIkyWexMF0I
⁶⁷https://github.com/AndrewRathbun/DFIRArtifactMuseum/tree/main/Windows/EventLogs
IISGeoLocate
IISGeoLocate Introduction
IISGeoLocate can be used to geolocate IP addresses found in IIS Logs. IIS Logs can be located at
C:\inetpub\logs\LogFiles on Windows Server machines.
IISGeoLocate Use Cases
Law Enforcement
For those in Law Enforcement, this tool may not prove to be immediately useful, but should there
be a case where IIS logs are relevant, this tool can parse them!
Private Sector
For those in the Private Sector, this tool is useful for parsing IIS logs and helping to identify unique
IPs that can be geolocated and ran through useful resources like VirusTotal for IOC development.
Additionally, this tool can convert the IIS logs from flat text to CSV format for better ingestion into
Timeline Explorer.
IISGeoLocate 53
IISGeoLocate Switches
In a PowerShell window, running .\IISGeoLocate.exe will provide the following options when
running IISGeoLocate:
Description:
iisgeolocate version 2.2.0.0

https://github.com/EricZimmerman/iisGeolocate
Usage:
iisGeolocate [options]
Options:
-d <d> (REQUIRED) The directory that contains IIS logs. This will be recursi\
vely searched
for *.log files
--csv <csv> (REQUIRED) The directory to write results to
--sbl When true, do NOT show bad lines to console (they are stil\
l logged to a
file) [default: False]
--nul When true, do NOT create updated CSV files in --csv direct\
ory [default:
False]
Switch Descriptions
--sbl
This switch will instruct IISGeoLocate to not display bad lines to the console. These lines will still
be written to the file being written to the location specified with the --csv switch.
.\iisgeolocate.exe -d C:\inetpub\logs\LogFiles --csv C:\temp --sbl
--nul
This switch will instruct IISGeoLocate to not update the CSV file at the location specified with the
--csv switch.
.\iisgeolocate.exe -d C:\inetpub\logs\LogFiles --csv C:\temp --nul true

IISGeoLocate 54
IISGeoLocate Output
Analyzing IISGeoLocate Output - CSV

IISGeoLocate will convert IIS logs into CSV format for ingestion into Timeline Explorer as well as
adding IP geolocation data to each log entry.
IISGeoLocate References

• https://github.com/EricZimmerman/iisGeolocate is the GitHub repository for IISGeoLocate
Download IISGeoLocate
IISGeoLocate can be downloaded from https://ericzimmerman.github.io/#!index.md
JLECmd
JLECmd Introduction
Description
JLECmd is a tool created by Eric Zimmerman used to parse JumpList files. JumpLists are native to
the Windows operating system and are common indicators of file access.
JLECmd Use Cases
Law Enforcement
For those in Law Enforcement, this tool is useful for parsing JumpLists which can provide useful
evidence of file access that can be attributed to a specific user account. JumpLists can provide insight
as to when a file was last opened.
Private Sector
For those in the Private Sector, this tool is useful for parsing JumpLists which can provide useful
evidence of file access that can be attributed to a specific user account. Often, these can be used
along with Shellbags and LNK files to determine which files and folders were accessed by a threat
actor during a period of unauthorized access
JLECmd 56
JLECmd Switches
In a PowerShell window, running .\JLECmd.exe will provide the following options when running
JLECmd:
Description:
JLECmd version 1.5.0.0

https://github.com/EricZimmerman/JLECmd
Examples: JLECmd.exe -f "C:\Temp\f01b4d95cf55d32a.customDestinations-ms"

--mp
JLECmd.exe -f "C:\Temp\f01b4d95cf55d32a.automaticDestinations-ms"
--json "D:\jsonOutput" --jsonpretty
JLECmd.exe -d "C:\CustomDestinations" --csv "c:\temp" --html "c:\temp"
-q
JLECmd.exe -d "C:\Users\e\AppData\Roaming\Microsoft\Windows\Recent"
--dt "ddd yyyy MM dd HH:mm:ss.fff"
Short options (single letter) are prefixed with a single dash. Long
commands are prefixed with two dashes
Usage:
JLECmd [options]
Options:
-f <f> File to process. Either this or -d is required
-d <d> Directory to recursively process. Either this or -f is
required
--all Process all files in directory vs. only files matching
*.automaticDestinations-ms or *.customDestinations-ms
[default: False]
--csv <csv> Directory to save CSV formatted results to. This or
--json required unless --de or --body is specified
--csvf <csvf> File name to save CSV formatted results to. When
present, overrides default name
--json <json> Directory to save json representation to. Use --pretty
for a more human readable layout
--html <html> Directory to save xhtml formatted results to. Be sure
to include the full path in double quotes
JLECmd 57
--pretty When exporting to json, use a more human readable

layout [default: False]
-q Only show the filename being processed vs all output.
Useful to speed up exporting to json and/or csv
[default: False]
--ld Include more information about lnk files [default:
False]
--fd Include full information about lnk files
(Alternatively, dump lnk files using --dumpTo and
process with LECmd) [default: False]
--appIds <appIds> Path to file containing AppIDs and descriptions
(appid|description format). New appIds are added to
the built-in list, existing appIds will have their
descriptions updated
--dumpTo <dumpTo> Directory to save exported lnk files
--dt <dt> The custom date/time format to use when displaying
timestamps. See https://goo.gl/CNVq0k for options.
Default is: yyyy-MM-dd HH:mm:ss [default: yyyy-MM-dd
HH:mm:ss]
--mp Display higher precision for timestamps [default:
False]
--withDir When true, show contents of Directory not accounted
for in DestList entries [default: False]
--debug Show debug information during processing [default:
False]
--trace Show trace information during processing [default:
False]
While there are explanations for each switch, let’s walk through each one of the switches unique to
JLECmd in further detail.
JLECmd 58
Switch Descriptions
--all
This switch will instruct JLECmd to attempt to parse every file in the directory specified, regardless
of file extension. Output will be generated only for those files identified to be .LNK files.
Example: .\JLECmd.exe -d D:\DFIRArtifactMuseum\Windows\JumpLists\Win10\APTSimulatorVM
--all
-q
This switch will instruct JLECmd to output only what files were processed rather than the parsed
data from each JumpList.
For instance, running .\JLECmd.exe -d "D:\DFIRArtifactMuseum" --csv "D:\DFIRArtifactMuseum\"
resulted in the following: Processed 15 out of 20 files in 0.6428 seconds
Running .\JLECmd.exe -d "D:\DFIRArtifactMuseum" --csv "D:\DFIRArtifactMuseum\" -q
--ld
This switch will instruct JLECmd to include more details about .LNK files. Specifically, JLECmd will
include the following information for each JumpList:
--- Link information ---

Flags: VolumeIdAndLocalBasePath
>> Volume information

Drive type: Fixed storage media (Hard drive)
Serial number: 88008C2F
Label: (No label)
Local path: C:\Users\e\AppData\Roaming\Microsoft\Windows\Libraries\Videos.library-\
ms
--fd
This switch will instruct JLECmd to include the full details of the .LNK files. An example of the
additional information included can be seen below:
JLECmd 59
Lnk target created: 2016-01-16 20:22:25

Lnk target modified: 2016-01-16 20:23:24
Lnk target accessed: 2016-01-16 20:23:24
--- Header ---
Target created: 2016-01-16 20:22:25

Target modified: 2016-01-16 20:23:24
Target accessed: 2016-01-16 20:23:24
File size: 3,483

Flags: HasTargetIdList, HasLinkInfo, IsUnicode
File attributes: FileAttributeArchive, FileAttributeNotContentIndexed
Icon index: 0
Show window: SwNormal (Activates and displays the window. The window is restored t\
o its original size and position if the window is minimized or maximized.)
--- Link information ---

Flags: VolumeIdAndLocalBasePath
>> Volume information

Drive type: Fixed storage media (Hard drive)
Serial number: 88008C2F
Label: (No label)
Local path: C:\Users\e\AppData\Roaming\Microsoft\Windows\Libraries\Videos.library-\
ms
--- Target ID information (Format: Type ==> Value) ---
and
-Root folder: GUID ==> User Libraries
-Variable ==> Videos
--- End Target ID information ---
--- Extra blocks information ---
>> Property store data block (Format: GUID\ID Description ==> Value)
9f4c2855-9f79-4b39-a8d0-e1d42de1d5f3\7 App User Model Is DestList Link =\
=> True
JLECmd 60
>> Tracker database block

Machine ID: win7x64
MAC Address: 00:15:5d:01:6d:0b
MAC Vendor: (Unknown vendor)
Creation: 2016-01-16 21:18:45
Volume Droid: 42e937f8-244d-406d-86eb-43604356d1ae

Volume Droid Birth: 42e937f8-244d-406d-86eb-43604356d1ae
File Droid: ba034b9e-bc96-11e5-b231-00155d016d0b
File Droid birth: ba034b9e-bc96-11e5-b231-00155d016d0b
(lnk file not present)
--appIds
This switch will instruct JLECmd to use an AppIDs.txt file specified by the user. Default is using
the built-in AppIDs.txt file included within JLECmd, which can be found here: https://github.com/
EricZimmerman/JumpList/blob/master/JumpList/Resources/AppIDs.txt
Example: .JLECmd.exe -f “D:DFIRArtifactMuseumWindowsJumpListsWin7\1b4dd67f29cb1962.automaticDestinatio
ms” –appIds “C:\tempAppIDs.txt”
--dumpTo
This switch will instruct JLECmd to dump the .LNK files associated with the JumpList to the specified
location.
Example: .JLECmd.exe -f “D:DFIRArtifactMuseumWindowsJumpListsWin7\1b4dd67f29cb1962.automaticDestinatio
ms” –dumpTo “D:DFIRArtifactMuseum\testJL”
--mp
This switch will instruct JLECmd to provide more verbose timestamps. For instance, running
.\JLECmd.exe -f "D:\DFIRArtifactMuseum\Windows\JumpLists\Win7\1b4dd67f29cb1962.automaticDestinations
resulted in the following:
JLECmd 61
--- DestList entries ---

Entry #: 4
MRU: 0
Path: ::{031E4825-7B94-4DC3-B131-E946B44C8DD5}\Videos.library-ms ==> User Librarie\
s\Videos.library-ms
Pinned: False
Created on: 2016-01-16 21:18:45
Last modified: 2016-01-16 20:23:24
Hostname: win7x64
Mac Address: 00:15:5d:01:6d:0b
Interaction count: 0
--- Lnk information ---

Absolute path: User Libraries\Videos
Running .\JLECmd.exe -f "D:\DFIRArtifactMuseum\Windows\JumpLists\Win7\1b4dd67f29cb1962.automaticDesti

--mp resulted in the following:

Entry #: 4
MRU: 0
Path: ::{031E4825-7B94-4DC3-B131-E946B44C8DD5}\Videos.library-ms ==> User Librarie\
s\Videos.library-ms
Pinned: False
Created on: 2016-01-16 21:18:45.6562590
Last modified: 2016-01-16 20:23:24.8901093
Hostname: win7x64
Mac Address: 00:15:5d:01:6d:0b

Absolute path: User Libraries\Videos
--withDir
This switch will instruct JLECmd to list directories not account for in the DestList entries.
For example, running .\JLECmd.exe -f "D:\DFIRArtifactMuseum\Windows\JumpLists\Win10\APTSimulatorVM\f01b
--withDir resulted in the following extra data:
JLECmd 62
Directory entries not represented by DestList entries

Directory: a
Absolute path: My Computer\C:\Users\TestUser\Downloads\APTSimulator_pw_apt\dist
Directory: b
Absolute path: My Computer\C:\Users\TestUser\Desktop\Targets

JLECmd 63
JLECmd Command Examples
Example JLECmd Commands
Parse a single JumpList and view the results within the console
JLECmd.exe -f "D:\DFIRArtifactMuseum\Windows\JumpLists\Win10\APTSimulatorVM\f01b4d95\
cf55d32a.automaticDestinations-ms"
Parse a single JumpList and output the results to CSV at specified location
cf55d32a.automaticDestinations-ms” --csv C:\Temp
Parse a single JumpList, output to JSON in pretty format
cf55d32a.automaticDestinations-ms" --json "D:\jsonOutput" --pretty
Parse a directory, output to CSV at specified location, output to HTML at

specified location, output to XML to specified location, while only showing the
filename being processed (used to speed up processing)
JLECmd.exe -d "C:\Temp" --csv "c:\temp" --html c:\temp --xml c:\temp\xml -q
Parse all files in a directory (regardless of presence of .JumpList extension)
JLECmd.exe -d "C:\Temp" --all
Parse a single JumpList and view the results within the console with higher
precision timestamps
cf55d32a.automaticDestinations-ms" --mp
JLECmd 64
JLECmd Output
Analyzing JLECmd Output - Console

When parsing JumpList files with JLECmd without the -q switch, JLECmd will display in the console
window parsed data from each .LNK filed processed.
JLECmd 65
Analyzing JLECmd Output - CSV

When parsing JumpLists with JLECmd with the --csv switch, JLECmd will output the parsed data
into a CSV file. The CSV file can then be ingested into a tool like Timeline Explorer to analyze the
parsed data.
JLECmd 66
Analyzing JLECmd Output - JSON

When parsing JumpLists with JLECmd with the --json switch, JLECmd will output the parsed data
into a JSON file.
![](jlecmd\JSONPrettyReportExample.jpg)
{
"Directory": [
{
"ClassId": "00450020006e00747200790000000000",
"UserFlags": 0,
"ModifiedTime": "\/Date(1646941766733)\/",
"FirstDirectorySectorId": 3,
"DirectorySize": 576,
"PreviousDirectoryId": -1,
"NextDirectoryId": -1,
"SubDirectoryId": 1,
"DirectoryName": "Root Entry",
"DirectoryType": "RootStorage",
"NodeColor": "Red"
},
{
"ClassId": "00000000000000000000000000000000",
"UserFlags": 0,
"NextDirectoryId": 2,
"SubDirectoryId": -1,
"DirectoryName": "1",
"DirectoryType": "Stream",
"NodeColor": "Black"
},
{
"ClassId": "0069004c007300740000000000000000",
"UserFlags": 0,
"NextDirectoryId": -1,
"SubDirectoryId": -1,
"DirectoryName": "DestList",
JLECmd 67
"DirectoryType": "Stream",
"NodeColor": "Red"
}
],
"AppId": {
"AppId": "573770283dc3d854",
"Description": "Windows Defender"
},
"DestListCount": 1,
"PinnedDestListCount": 0,
"LastUsedEntryNumber": 1,
"DestListVersion": 4,
"SourceFile": "D:\\DFIRArtifactMuseum\\Windows\\JumpLists\\Win10\\APTSimulatorVM\\5\
73770283dc3d854.automaticDestinations-ms",
"DestListEntries": [
{
"Hostname": "",
"VolumeDroid": "00000000000000000000000000000000",
"VolumeBirthDroid": "00000000000000000000000000000000",
"FileDroid": "00000000000000000000000000000000",
"FileBirthDroid": "00000000000000000000000000000000",
"EntryNumber": 1,
"MRUPosition": 0,
"InteractionCount": 1,
"CreatedOn": "\/Date(-12219292800000)\/",
"LastModified": "\/Date(1646941766733)\/",
"Pinned": false,
"Path": "windowsdefender://threat/",
"MacAddress": "00:00:00:00:00:00",
"Lnk": {
"TargetIDs": [
{
"__type": "Lnk.ShellItems.ShellBag0X1F, Lnk",
"PropertyStore": {
"Sheets": [
]
},
"FriendlyName": "Root folder: GUID",
"Value": "Internet Explorer (Homepage)",
"ExtensionBlocks": [
]
},
{
JLECmd 68
"__type": "Lnk.ShellItems.ShellBag0X61, Lnk",

"UserName": "",
"FriendlyName": "URI",
"Value": "windowsdefender://threat/",
"ExtensionBlocks": [
]
}
],
"ExtraBlocks": [
{
"__type": "Lnk.ExtraData.PropertyStoreDataBlock, Lnk
"PropertyStore": {
"Sheets": [
{
"Size": 45,
"Version": "31-53-50-53",
"GUID": "9f4c2855-9f79-4b39-
"PropertyNames": {
"7": "True"
},
"PropertySheetType": "Numeri
}
]
}
}
],
"SourceFile": "D:\\DFIRArtifactMuseum\\Windows\\JumpLists\\Win10\\AP
\\573770283dc3d854.automaticDestinations-ms_Directory name_1",
"RawBytes": "TAAAAAEUAgAAAAAAwAAAAAAAAEaBAKAA<SNIP>",
"Header": {
"Signature": "0002140100000000c000000000000046",
"DataFlags": 10485889,
"FileAttributes": 0,
"TargetCreationDate": "\/Date(-11644473600000)\/",
"TargetModificationDate": "\/Date(-11644473600000)\/",
"TargetLastAccessedDate": "\/Date(-11644473600000)\/",
"FileSize": 0,
"IconIndex": 0,
"HotKey": "",
"ShowWindow": "SwNormal",
"Reserved0": 0,
"Reserved1": 0,
"Reserved2": 0
JLECmd 69
},
"LocationFlags": 0
}
}
]
}
JLECmd 70
Analyzing JLECmd Output - HTML

When parsing JumpLists with JLECmd with the --html switch, JLECmd will output the parsed data
into an HTML file. Please note, the HTML file will be placed into a dedicated subfolder, which is
not normally the case when outputting to CSV or JSON.
JLECmd 71
JLECmd Sample Output

.\JLECmd.exe -d "D:\DFIRArtifactMuseum\Windows\JumpLists\Win10\APTSimulatorVM"
---------- Processed D:\DFIRArtifactMuseum\Windows\JumpLists\Win10\APTSimulatorVM\cc\

ba5a5986c77e43.customDestinations-ms in 0.01157700 seconds ----------
Processing D:\DFIRArtifactMuseum\Windows\JumpLists\Win10\APTSimulatorVM\f01b4d95cf55\
d32a.automaticDestinations-ms
Source file: D:\DFIRArtifactMuseum\Windows\JumpLists\Win10\APTSimulatorVM\f01b4d95cf\

55d32a.automaticDestinations-ms
--- AppId information ---

AppID: f01b4d95cf55d32a
Description: Windows Explorer Windows 8.1
--- DestList information ---

Expected DestList entries: 11
Actual DestList entries: 11
DestList version: 4

Entry #: 11
MRU: 0
Path: C:\Users\TestUser\Desktop\Targets
Pinned: False
Created on: 2022-03-10 16:35:09
Last modified: 2022-03-10 21:40:42
Hostname: desktop-tmku40h
Mac Address: ec:63:d7:72:83:36

Absolute path: My Computer\C:\Users\TestUser\Desktop\Targets
Entry #: 1
MRU: 1
Path: knownfolder:{754AC886-DF64-4CBA-86B5-F7FBF4FBCEF5} ==> ThisPCDesktopFolder
Pinned: True
Created on: 2022-03-10 19:33:36
JLECmd 72
Last modified: 2022-03-10 21:40:42


Absolute path: My Computer\Desktop
Entry #: 10
MRU: 2
Path: C:\Users\TestUser\Downloads\APTSimulator_pw_apt\dist
Pinned: False
Created on: 2022-03-10 16:35:09
Last modified: 2022-03-10 19:49:34

Absolute path: My Computer\C:\Users\TestUser\Downloads\APTSimulator_pw_apt\dist
Entry #: 9
MRU: 3
Path: C:\Users\TestUser\Downloads\APTSimulator_pw_apt\APTSimulator
Pinned: False
Created on: 2022-03-10 16:35:09
Last modified: 2022-03-10 19:49:34

Absolute path: My Computer\C:\Users\TestUser\Downloads\APTSimulator_pw_apt\APTSimu\
lator
Entry #: 8
MRU: 4
Path: C:\Users\TestUser\Downloads\APTSimulator_pw_apt
Pinned: False
Created on: 2022-03-10 16:35:09
JLECmd 73
Last modified: 2022-03-10 19:49:34


Absolute path: My Computer\C:\Users\TestUser\Downloads\APTSimulator_pw_apt
Entry #: 7
MRU: 5
Path: C:\Users\TestUser\Downloads\Sysmon
Pinned: False
Created on: 2022-03-10 16:35:09
Last modified: 2022-03-10 19:49:07

Absolute path: My Computer\C:\Users\TestUser\Downloads\Sysmon
Entry #: 6
MRU: 6
Path: knownfolder:{18989B1D-99B5-455B-841C-AB7C74E4DDFC} ==> Videos
Pinned: False
Created on: 2022-03-10 19:33:36
Last modified: 2022-03-10 16:35:24

Absolute path: My Computer\Videos
Entry #: 5
MRU: 7
Path: knownfolder:{4BD8D571-6D19-48D3-BE97-422220080E43} ==> Music
Pinned: False
Created on: 2022-03-10 19:33:36
Last modified: 2022-03-10 16:35:24
JLECmd 74

Absolute path: My Computer\Music
Entry #: 3
MRU: 8
Path: knownfolder:{FDD39AD0-238F-46AF-ADB4-6C85480369C7} ==> Documents
Pinned: True
Created on: 2022-03-10 19:33:36
Last modified: 2022-03-10 16:35:24

Absolute path: My Computer\Documents
Entry #: 4
MRU: 9
Path: knownfolder:{33E28130-4E1E-4676-835A-98395C3BC3BB} ==> Pictures
Pinned: True
Created on: 2022-03-10 19:33:36
Last modified: 2022-03-10 16:35:24

Absolute path: My Computer\Pictures
Entry #: 2
MRU: 10
Path: knownfolder:{374DE290-123F-4565-9164-39C4925E467B} ==> Downloads
Pinned: True
Created on: 2022-03-10 19:33:36
Last modified: 2022-03-10 16:34:28
JLECmd 75


Absolute path: My Computer\Downloads
JLECmd 76
JLECmd Key Takeaways

JLECmd parses JumpLists, which are a collection of LNK files organized by AppID. JumpLists
provide indicators of file access.
JLECmd output, regardless of file format, will provide potentially useful information about user
activity on a given Windows system.
Last Modified
This timestamp will provide you with the a reliable indication of when a file was opened with a
specific application.
1 --- AppId information ---

2 AppID: f01b4d95cf55d32a
3 Description: Windows Explorer Windows 8.1
4
5 --- DestList information ---
6 Expected DestList entries: 11
7 Actual DestList entries: 11
8 DestList version: 4
9
10 --- DestList entries ---
11 Entry #: 11
12 MRU: 0
13 Path: C:\Users\TestUser\Desktop\Targets
14 Pinned: False
15 Created on: 2022-03-10 16:35:09
16 Last modified: 2022-03-10 21:40:42
17 Hostname: desktop-tmku40h
18 Mac Address: ec:63:d7:72:83:36
19 Interaction count: 1
20
21 --- Lnk information ---
22 Absolute path: My Computer\C:\Users\TestUser\Desktop\Targets
JLECmd 77
JLECmd References

library
Blog Posts
Official Blog Posts
Blog posts from Eric Zimmerman’s blog, Binary Foray⁶⁸:
• Jump lists in depth: Understand the format to better understand what your tools are (or aren’t)
doing⁶⁹
• Introducing JLECmd!⁷⁰
• PECmd, LECmd, and JLECmd updated!⁷¹
• LECmd and JLECmd updated⁷²
• JLECmd v0.9.6.0 released⁷³
Community Resources
• Links to blog posts go here
Download JLECmd
JLECmd can be downloaded from https://ericzimmerman.github.io/#!index.md
JumpList Sample Data

Sample JumpList files can be found at the DFIRArtifactMuseum⁷⁴.
⁶⁸https://binaryforay.blogspot.com/
⁶⁹https://binaryforay.blogspot.com/2016/02/jump-lists-in-depth-understand-format.html
⁷⁰https://binaryforay.blogspot.com/2016/03/introducing-jlecmd.html
⁷¹https://binaryforay.blogspot.com/2016/03/pecmd-lecmd-and-jlecmd-updated.html
⁷²https://binaryforay.blogspot.com/2016/04/lecmd-and-jlecmd-updated.html
⁷³https://binaryforay.blogspot.com/2016/09/jlecmd-v0960-released.html
⁷⁴https://github.com/AndrewRathbun/DFIRArtifactMuseum/tree/main/Windows/JumpLists
LECmd
LECmd Introduction
Description
LECmd is a tool created by Eric Zimmerman used to parse .LNK files. .LNK files are native to the
Windows operating system and are common indicators of file access.
LECmd Use Cases
Law Enforcement
For those in Law Enforcement, this tool is useful for parsing LNK files which can provide useful
evidence of file access that can be attributed to a specific user account. LNK files can provide insight
as to when a file was first opened and last opened.
Private Sector
For those in the Private Sector, this tool is useful for parsing LNK files which can provide useful
evidence of file access that can be attributed to a specific user account. Often, these can be used
along with Shellbags and JumpLists to determine which files and folders were accessed by a threat
actor during a period of unauthorized access
LECmd 79
LECmd Switches
In a PowerShell window, running .\LECmd.exe will provide the following options when running
LECmd:
Description:
LECmd version 1.5.0.0

https://github.com/EricZimmerman/LECmd
Examples: LECmd.exe -f "C:\Temp\foobar.lnk"

LECmd.exe -f "C:\Temp\somelink.lnk" --json "D:\jsonOutput" --jsonpretty
LECmd.exe -d "C:\Temp" --csv "c:\temp" --html c:\temp --xml c:\temp\xml \
-q
LECmd.exe -f "C:\Temp\some other link.lnk" --nid --neb
LECmd.exe -d "C:\Temp" --all
Usage:
LECmd [options]
Options:
-r Only process lnk files pointing to removable drives [default: Fals\
e]
-q Only show the filename being processed vs all output. Useful to sp\
eed up exporting to json and/or csv
[default: False]
--all Process all files in directory vs. only files matching *.lnk [defa\
ult: False]
--csv <csv> Directory to save CSV formatted results to. Be sure to include the\
--csvf <csvf> File name to save CSV formatted results to. When present, override\
s default name
--xml <xml> Directory to save XML formatted results to. Be sure to include the\
--html <html> Directory to save xhtml formatted results to. Be sure to include t\
LECmd 80
he full path in double quotes

--json <json> Directory to save json representation to. Use --pretty for a more \
human readable layout
--pretty When exporting to json, use a more human readable layout [default:\
False]
--nid Suppress Target ID list details from being displayed [default: Fal\
se]
--neb Suppress Extra blocks information from being displayed [default: F\
alse]
--dt <dt> The custom date/time format to use when displaying time stamps. Se\
e https://goo.gl/CNVq0k for options
[default: yyyy-MM-dd HH:mm:ss]
--mp Display higher precision for time stamps [default: False]
While there are explanations for each switch, let’s walk through each one of the switches unique to
LECmd in further detail.
LECmd Switch Descriptions
-r
This switch will instruct LECmd to parse .LNK files that point to a file being opened from a
removable drive ONLY.
Example: .\LECmd.exe -d D:\DFIRArtifactMuseum\Windows\LNK\Win10 -r
-q
This switch will instruct LECmd to output only what files were processed rather than the parsed
data from each .LNK file.
For instance, running .\LECmd.exe -d "D:\DFIRArtifactMuseum" --csv "D:\DFIRArtifactMuseum\"
Running .\LECmd.exe -d "D:\DFIRArtifactMuseum" --csv "D:\DFIRArtifactMuseum\" -q resulted
in the following: Processed 554 out of 554 files in 0.3951 seconds
LECmd 81
--all
This switch will instruct LECmd to attempt to parse every file in the directory specified, regardless
of file extension. Output will be generated only for those files identified to be .LNK files.
Example: .\LECmd.exe -d D:\DFIRArtifactMuseum\Windows --all
--nid
This switch will instruct LECmd to suppress the Target ID list details. This will provide a message
similar to this in place of the Target ID list details: (Target ID information suppressed. Lnk
TargetID count: 6)
Example: .\LECmd.exe -d D:\DFIRArtifactMuseum\Windows\LNK\Win10 --nid
--neb
This switch will instruct LECmd to suppress the Extra blocks details. This will provide a message
similar to this in place of the Target ID list details: (Extra blocks information suppressed. Lnk
Extra block count: 2)
Example: .\LECmd.exe -d D:\DFIRArtifactMuseum\Windows\LNK\Win10 --neb
--mp
This switch will instruct LECmd to provide more verbose timestamps. For instance, running
.\LECmd.exe -f "D:\DFIRArtifactMuseum\Windows\LNK\Win10\XWFIM.lnk.test resulted in the
following:
Source file: D:\DFIRArtifactMuseum\Windows\LNK\Win10\XWFIM.lnk.test

Source created: 2022-01-31 17:25:58
Source modified: 2022-01-31 17:25:58
Source accessed: 2022-06-05 01:57:47
Running .\LECmd.exe -f "D:\DFIRArtifactMuseum\Windows\LNK\Win10\XWFIM.lnk.test" --mp

resulted in the following:
Source file: D:\DFIRArtifactMuseum\Windows\LNK\Win10\XWFIM.lnk.test

Source created: 2022-01-31 17:25:58.4983924
Source modified: 2022-01-31 17:25:58.0000000
Source accessed: 2022-06-05 01:57:51.8825142
LECmd 82
LECmd Command Examples
Example LECmd Commands
Parse a single LNK file and view the results within the console
LECmd.exe -f "C:\Temp\foobar.lnk"
Parse a single LNK file and output the results to CSV at specified location
LECmd.exe -f C:\Temp\foobar.lnk --csv C:\Temp
Parse a single LNK file, output to JSON in pretty format
LECmd.exe -f "C:\Temp\somelink.lnk" --json "D:\jsonOutput" --pretty
Parse a directory, output to CSV at specified location, output to HTML at

specified location, output to XML to specified location, while only showing the
filename being processed (used to speed up processing)
LECmd.exe -d "C:\Temp" --csv "c:\temp" --html c:\temp --xml c:\temp\xml -q
Parse a single LNK file while suppressing Target ID list details and Extra blocks
information
LECmd.exe -f "C:\Temp\some other link.lnk" --nid --neb
Parse all files in a directory (regardless of presence of .LNK file extension)
LECmd.exe -d "C:\Temp" --all
Parse all files in a directory (regardless of presence of .LNK file extension), but
only provide output for those .LNK files that point to removable drives
LECmd.exe -d "C:\Temp" --all -r
Parse a single LNK file and view the results within the console with higher
precision timestamps
LECmd 83
LECmd.exe -f "D:\DFIRArtifactMuseum\Windows\LNK\Win10\XWFIM.lnk.test" --mp

LECmd 84
LECmd Sample Output

.\LECmd.exe -d "D:\DFIRArtifactMuseum\Windows\LNK\Win10" --mp
Processing D:\DFIRArtifactMuseum\Windows\LNK\Win10\XPS Viewer.lnk
Source file: D:\DFIRArtifactMuseum\Windows\LNK\Win10\XPS Viewer.lnk

Source created: 2022-01-31 17:25:58.4973918
Source modified: 2022-01-31 17:25:58.0000000
Source accessed: 2022-06-12 18:38:15.3854180
--- Header ---

Target created: null
Target modified: null
Target accessed: null
File size: 0
Flags: HasName, HasIconLocation, IsUnicode, ForceNoLinkInfo, HasExpString, PreferE\
nvironmentPath
File attributes: 0
Icon index: -108
Show window: SwNormal (Activates and displays the window. The window is restored t\
o its original size and position if the window is minimized or maximized.)
Name: @%systemroot%\system32\XpsRchVw.exe,-103
Icon Location: %systemroot%\system32\XpsRchVw.exe
--- Extra blocks information ---
>> Property store data block (Format: GUID\ID Description ==> Value)
46588ae2-4cbc-4338-bbfc-139326986dce\0 (Description not available) =\
=> 0
9f4c2855-9f79-4b39-a8d0-e1d42de1d5f3\18 App User Model Installed By =\
=> 1
>> Environment variable data block

Environment variables: %systemroot%\system32\xpsrchvw.exe
---------- Processed D:\DFIRArtifactMuseum\Windows\LNK\Win10\XPS Viewer.lnk in 0.004\

35160 seconds ----------
LECmd 85
LECmd Output
Analyzing LECmd Output - Console

When parsing .LNK files with LECmd without the -q switch, LECmd will display in the console
window parsed data from each .LNK filed processed.
LECmd 86
LECmd 87
LECmd 88
LECmd 89
Analyzing LECmd Output - CSV

When parsing .LNK files with LECmd with the --csv switch, LECmd will output the parsed data
into a CSV file. The CSV file can then be ingested into a tool like Timeline Explorer to analyze the
parsed data.
LECmd 90
Analyzing LECmd Output - JSON

When parsing .LNK files with LECmd with the --json switch, LECmd will output the parsed data
into a JSON file.
LECmd 91
Analyzing LECmd Output - XML

When parsing .LNK files with LECmd with the --xml switch, LECmd will output the parsed data
into an XML file.
LECmd 92
Analyzing LECmd Output - HTML

When parsing .LNK files with LECmd with the --html switch, LECmd will output the parsed data
into an HTML file. Please note, the HTML file will be placed into a dedicated subfolder, which is
not normally the case when outputting to CSV, XML, or JSON.
LECmd 93
LECmd Key Takeaways

LECmd parses .LNK files, which are indicative of file access. .LNK files are created when a file is
opened for the first time. If a .LNK file exists for a given file or folder, then that file or folder has
been accessed at least once by a user.
LECmd output, regardless of file format, will provide potentially useful information about user
activity on a given Windows system.
Timestamps
LECmd output will provide the following timestamps:

* SourceCreated - The creation timestamp associated with the .LNK file itself
* SourceModified - The modified timestamp associated with the .LNK file itself
* SourceAccessed - The accessed timestamp associated with the .LNK file itself
* TargetCreated - The creation timestamp associated with the file the .LNK file points to
* TargetModified - The modified timestamp associated with the file the .LNK file points to
* TargetAccessed - The accessed timestamp associated with the file the .LNK file points to
SourceCreated will be the most useful indicator of when a file was first opened by a user.
SourceModified will be the most useful indicator of when the file was last opened by a user.
The Target timestamps can be useful to cross reference with the timestamps in the MFT. Usually,
these timestamps are the 0x10 ($Standard_Information) timestamps from the $MFT. In testing, it
appears the timestamps stored within the .LNK file are “refreshed” when a file is opened again. The
timestamps stored within a .LNK file are therefore a snapshop in time of when the .LNK file was
last modified via opening a file. This can be useful in that if a file was timestomped (aka timestamps
altered), those altered timestamps won’t reflect in the .LNK file until the timestomped file has been
opened AFTER being timestomped.
Other Attributes
SourceFile
SourceFile will provide the file path to the LNK file being parsed.
FileSize
FileSize will provide the file size of the target file that the .LNK file is pointing to.
WorkingDirectory
WorkingDirectory will provide the parent directory that the target file resides in.
LECmd 94
DriveType
DriveType will provide insight as to what type of drive the SourceFile resided on at the time of file
access.
VolumeSerialNumber
VolumeSerialNumber will provide the Volume Serial Number of the drive the target file resided on
at the time of file access.
LocalPath
LocalPath will provide the full path to the target file that was accessed by the user.
TargetMFTEntryNumber
TargetMFTEntryNumber will provide the MFT Entry number for the Target File in hexadecimal and
decimal.
TargetMFTSequenceNumber
TargetMFTSequenceNumber will provide the MFT Sequence number for the Target File in hexadec-
imal and decimal.
MachineID
MachineID will provide the hostname of the hostnam the target file resided on at the time of file
access, if the tracker database block is present within the LNK file.
MachineMACAddress
MachineMACAddress will provide the MAC Address for the host, if the tracker database block is
present within the LNK file.
MACVendor
MACVendor will resolve the MAC address to provide the associated vendor, if known, and if the
tracker database block is present within the LNK file..
ExtraBlocksPresent
ExtraBlocksPresent will provide insight as to whether or not extra data blcoks are present within the
LNK file. The other blocks that are possible to be present within a LNK file are: TrackerDataBase-
Block and PropertyStoreDataBlock.
LECmd 95
LECmd References

• https://github.com/EricZimmerman/Lnk is the C# library for parsing .LNK files
• https://github.com/EricZimmerman/LECmd is the Command Line wrapper for the .LNK
library
Blog Posts
Official Blog Posts
Blog posts from Eric Zimmerman’s blog, Binary Foray⁷⁵:
• Introducing LECmd!⁷⁶
• LECmd v0.6.0.0 released!⁷⁷
• PECmd, LECmd, and JLECmd updated!⁷⁸
• LECmd and JLECmd updated⁷⁹
Download LECmd
LECmd can be downloaded from https://ericzimmerman.github.io/#!index.md
LNK Sample Data

Sample LNK files can be found at the DFIRArtifactMuseum⁸⁰.
⁷⁵https://binaryforay.blogspot.com/
⁷⁶https://binaryforay.blogspot.com/2016/02/introducing-lecmd.html
⁷⁷https://binaryforay.blogspot.com/2016/02/lecmd-v0600-released.html
⁷⁸https://binaryforay.blogspot.com/2016/03/pecmd-lecmd-and-jlecmd-updated.html
⁷⁹https://binaryforay.blogspot.com/2016/04/lecmd-and-jlecmd-updated.html
⁸⁰https://github.com/AndrewRathbun/DFIRArtifactMuseum/tree/main/Windows/LNK
MFTECmd
MFTECmd Introduction
MFTECmd is a tool created by Eric Zimmerman used to parse various NTFS metadata artifacts,
including but not limited to the $MFT, $J, $Boot, $SDS, and $I30 files.
File Types Parsed by MFTECmd
#SDS
$SDS contains a list of all the security descriptors on a given volume. Learn more about the $SDS
here⁸¹.
$Boot
$Boot is the NTFS metadata file for the NTFS Partition Boot Sector. Learn more about the $Boot
here⁸².
$MFT
$MFT contains metadata about every file and folder on an NTFS volume within FILE records. Learn
more about the $MFT here⁸³.
$J
$J tracks changes that were made to files and folders on an NTFS volume. Learn more about the $J
here⁸⁴.
$I30
$I30 files can provide insight into deleted and overwritten files. Learn more about $I30 files here⁸⁵.
⁸¹https://www.ntfs.com/ntfs-permissions-file-structure.htm
⁸²https://www.ntfs.com/ntfs-partition-boot-sector.htm
⁸³https://www.ntfs.com/ntfs-mft.htm
⁸⁴https://en.wikipedia.org/wiki/USN_Journal
⁸⁵https://www.sans.org/blog/ntfs-i30-index-attributes-evidence-of-deleted-and-overwritten-files/#:~:text=Interestingly%2C%20NTFS%
20directory%20index%20entries%20utilize%20a%20%24FILE_NAME,trove%20of%20information%20about%20the%20file%3A%20Full%
20filename
MFTECmd 97
MFTECmd Use Cases
Law Enforcement
For those in Law Enforcement, this tool is useful for parsing NTFS metadata files that can provide
invaluable information relating to the files that currently exist, previously existed, and what changes
have occurred to those files and at what time. The $MFT should be examined in nearly every instance
as that will provide insight as to which files and folders exist on a system currently. The $J should
be examined in nearly every instance as it will provide insight as to which files changed in which
ways, including but not limited to file creations, file deletions, file renames, etc. The $I30 can provide
insight into folders that no longer exist on a system.
Private Sector
For those in the Private Sector, this tool is useful for parsing NTFS metadata files that can provide
invaluable information relating to the files that currently exist, previously existed, and what changes
have occurred to those files and at what time. The $MFT can be useful in locating suspicious files
and folders that were created by a threat actor during a period of unauthorized access. The $J can
provide insight into files that no longer exist on disk and no longer have references within the $MFT,
including but not limited to threat actor tool output or evidence of malicious executables that were
deleted after being executed.
MFTECmd 98
MFTECmd Switches
In a PowerShell window, running .\MFTECmd.exe will provide the following options when running
MFTECmd:
Description:
MFTECmd version 1.2.1.0

https://github.com/EricZimmerman/MFTECmd
Examples: MFTECmd.exe -f "C:\Temp\SomeMFT" --csv "c:\temp\out" --csvf MyOutputFile\

.csv
MFTECmd.exe -f "C:\Temp\SomeMFT" --csv "c:\temp\out"
MFTECmd.exe -f "C:\Temp\SomeMFT" --json "c:\temp\jsonout"
MFTECmd.exe -f "C:\Temp\SomeMFT" --body "c:\temp\bout" --bdl c
MFTECmd.exe -f "C:\Temp\SomeMFT" --de 5-5
ands are prefixed
with two dashes
Usage:
MFTECmd [options]
Options:
-f <f> File to process ($MFT | $J | $Boot | $SDS | $I30). Required
-m <m> $MFT file to use when -f points to a $J file (Use this to resolve\
parent path
in $J CSV output).
--json <json> Directory to save JSON formatted results to. This or --csv requir\
ed unless --de
or --body is specified
des default
name
--csv <csv> Directory to save CSV formatted results to. This or --json requir\
ed unless --de
es default name
--body <body> Directory to save bodyfile formatted results to. --bdl is also re\
MFTECmd 99
quired when
using this option
--bodyf <bodyf> File name to save body formatted results to. When present, overri\
des default
name
--bdl <bdl> Drive letter (C, D, etc.) to use with bodyfile. Only the drive le\
tter itself
should be provided
--blf When true, use LF vs CRLF for newlines [default: False]
--dd <dd> Directory to save exported FILE record. --do is also required whe\
n using this
option
--do <do> Offset of the FILE record to dump as decimal or hex. Ex: 5120 or \
0x1400 Use
--de or --debug to see offsets
--de <de> Dump full details for entry/sequence #. Format is 'Entry' or 'Ent\
ry-Seq' as
decimal or hex. Example: 5, 624-5 or 0x270-0x5.
--dr When true, dump resident files to dir specified by --csv, in 'Res\
ident'
subdirectory. Files will be named
'<EntryNumber>-<SequenceNumber>_<FileName>.bin'
--fls When true, displays contents of directory specified by --de. Igno\
red when --de
points to a file [default: False]
--ds <ds> Dump full details for Security Id as decimal or hex. Example: 624\
or 0x270
--dt <dt> The custom date/time format to use when displaying time stamps. S\
ee
https://goo.gl/CNVq0k for options [default: yyyy-MM-dd HH:mm:ss.f\
ffffff]
--sn Include DOS file name types [default: False]
--fl Generate condensed file listing. Requires --csv [default: False]
--at When true, include all timestamps from 0x30 attribute vs only whe\
n they differ
from 0x10 [default: False]
--rs When true, recover slack space from FILE records when processing \
MFT files.
This option has no effect for $I30 files [default: False]
-f [default:
False]
--dedupe Deduplicate -f & VSCs based on SHA-1. First file found wins [defa\
MFTECmd 100
ult: False]
-f is required. Exiting
MFTECmd 101
Switch Descriptions
-m
This switch informs the tool to parse an $MFT along with its associated $J. The main benefit for this
is the resolution of the Parent Path column in the $J output, which will save examiners from having
to manually cross reference the Parent Entry ID in the $MFT to the one associated with a change
recorded in the $J. This is absolutely worth the extra effort.
Example: .\MFTECmd.exe -f 'D:\DFIRArtifactMuseum\Windows\NTFSArtifacts\J\Win10\APTSimulatorVM\$J'
-m 'D:\DFIRArtifactMuseum\Windows\NTFSArtifacts\MFT\Win10\APTSimulatorVM\$MFT' --csv
"C:\temp"
--body
This switch informs the tool to output to a bodyfile⁸⁶. Please note, the --bdl switch is required when
using --bdl.
Example: .\MFTECmd.exe -f 'D:\DFIRArtifactMuseum\Windows\NTFSArtifacts\MFT\Win10\APTSimulatorVM\$MFT'
--body C:\temp --bdl C
--bodyf
This switch informs the tool to name the bodyfile output a specified filename.
--body C:\temp --bdl C --bodyf test
The above command will output a file named test.
--bdl
This switch informs the tool to use a specified drive letter when providing output to bodyfile format.
--body C:\temp --bdl C
--blf
This switch informs the tool to use LF instead of CRLF for line endings in . More information about
LF vs. CRLF can be found here⁸⁷.
--csv "C:\temp" --blf
⁸⁶https://forensicswiki.xyz/wiki/index.php?title=Bodyfile
⁸⁷https://www.aleksandrhovhannisyan.com/blog/crlf-vs-lf-normalizing-line-endings-in-git/
MFTECmd 102
--dd
This switch informs the tool to save an exported FILE record to a specified directory. Please note,
the --do switch is required when using --dd.
--dd C:\temp --do 679
--do
This switch informs the tool of which decimal or hex offset to dump to a specified location.
--dd C:\temp --do 679
--de
This switch informs the tool to dump the full details of a specific entry number.
--de 679
--dr
This switch informs the tool to dump all files resident within the $MFT to a specified directory.
Please note, the specified directory will be whatever is specified for the --csv switch.
--csv c:\temp --dr
--fls
This switch informs the tool to display the contents of a folder based on the data stored within the
$MFT.
--de 500 --fls
The above command will display results similar to below:

MFTECmd 103
1 Contents for .\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.42192.0_x6\

2 4__8wekyb3d8bbwe\microsoft.system.package.metadata
3
4 Key Type Name
5 115558-4 File resources.ae44601c.pri
6 115558-4 File S-1-5-21-2212929841-2730996645-2649195864-10\
7 00-MergedResources-1.pri
Removing the --fls switch would display the timestamps and other NTFS metadata stored about
that directory within the $MFT.
--ds
This switch informs the tool to provide information about the specified security descriptor.
Example: .\MFTECmd.exe -f 'D:\DFIRArtifactMuseum\Windows\NTFSArtifacts\Secure_-
$SDS\Win10\APTSimulatorVM\$Secure_$SDS' --ds 256
The above command would yield the following output:
1 Command line: -f D:\DFIRArtifactMuseum\Windows\NTFSArtifacts\Secure_$SDS\Win10\APTSi\

2 mulatorVM\$Secure_$SDS --ds 256
3
4 File type: Sds
5
6
7 Processed D:\DFIRArtifactMuseum\Windows\NTFSArtifacts\Secure_$SDS\Win10\APTSimulator\
8 VM\$Secure_$SDS in 0.0042 seconds
9
10 SDS entries found in D:\DFIRArtifactMuseum\Windows\NTFSArtifacts\Secure_$SDS\Win10\A\
11 PTSimulatorVM\$Secure_$SDS: 4,626
12
13 Details for security record # 256 (0x100), Found in D:\DFIRArtifactMuseum\Windows\NT\
14 FSArtifacts\Secure_$SDS\Win10\APTSimulatorVM\$Secure_$SDS
15 Hash value: CBC6FE32, Offset: 0x0
16 Control flags: SeDaclPresent | SeSelfRelative
17
18 Owner SID: S-1-5-18: An account that is used by the operating system.
19 Group SID: S-1-5-32-544: A built-in group. After the initial installation of the ope\
20 rating system, the only member of the group is the Administrator account. When a com\
21 puter joins a domain, the Domain Administrators group is added to the Administrators\
22 group. When a server becomes a domain controller, the Enterprise Administrators gro\
23 up also is added to the Administrators group.
24
MFTECmd 104
25 Discretionary Access Control List

26 ACE record count: 2
27 ACL type: Discretionary
28
29 ------------ Ace record #0 ------------
30 Type: AccessAllowed
31 Flags: None
32 Mask: FileReadDirList | ReadEa | ReadAttrs | ReadControl | Synchronize
33 SID: S-1-5-18: An account that is used by the operating system.
34
35 ------------ Ace record #1 ------------
36 Type: AccessAllowed
37 Flags: None
38 Mask: FileReadDirList | ReadEa | ReadAttrs | ReadControl | Synchronize
39 SID: S-1-5-32-544: A built-in group. After the initial installation of the operating\
40 system, the only member of the group is the Administrator account. When a computer \
41 joins a domain, the Domain Administrators group is added to the Administrators group\
42 . When a server becomes a domain controller, the Enterprise Administrators group als\
43 o is added to the Administrators group.
--sn
This switch informs the tool to include DOS file names as well as a few other columns of output.
--csv C:\temp --sn
The above command output a 191MB CSV compared to 122MB without the --sn switch. Also, the
above command adds the following columns within Timeline Explorer that are available in the
Column Chooser (right-click on a column header and double click on them to add them in).
MFTECmd 105
mftecmdSNswitchcolumnsTLE
--fl
This switch informs the tool to output a simple file listing of the contents of the $MFT parsed
which will include the following columns: FullPath, Extension, IsDirectory, FileSize, Created0x10,
and LastModified0x10.
--csv C:\temp --fl
--at
This switch informs the tool to display the timestamps even when the 0x10 and 0x30 timestamps are
identical. Normally, the 0x30 timestamps would be empty if they’re identical to the 0x10 timestamps
for the purpose of making anomalies easier to spot.
--csv C:\temp --at
--rs
This switch informs the tool to attempt to recover slack space from FILE records.
--csv C:\temp --rs
MFTECmd 106
MFTECmd Command Examples
Example MFTECmd Commands

Parse a $MFT and output to CSV to a specified location and name the output
file MyOutputFile.csv
MFTECmd.exe -f "C:\Temp\SomeMFT" --csv "c:\temp\out" --csvf MyOutputFile.csv
Parse a $MFT and output to CSV to a specified location
MFTECmd.exe -f "C:\Temp\SomeMFT" --csv "c:\temp\out"
Parse a $MFT and output to JSON to a specified location
MFTECmd.exe -f "C:\Temp\SomeMFT" --json "c:\temp\jsonout"
Parse a $MFT and output to bodyfile for the C:\ drive
MFTECmd.exe -f "C:\Temp\SomeMFT" --body "c:\temp\bout" --bdl c
Parse a $MFT and dump the full details for entry number 5, sequence number
5 to the console
MFTECmd.exe -f "C:\Temp\SomeMFT" --de 5-5
#### Parse $Boot and output to console
.\MFTECmd.exe -f 'D:\DFIRArtifactMuseum\Windows\NTFSArtifacts\Boot\Win10\APTSimulato\
rVM\$Boot'
Parse $SDS and output to CSV to a specified location
.\MFTECmd.exe -f 'D:\DFIRArtifactMuseum\Windows\NTFSArtifacts\Secure_$SDS\Win10\APTS\
imulatorVM\$Secure_$SDS' --csv C:\temp
Parse $I30 and output to CSV to a specified location

MFTECmd 107
.\MFTECmd.exe -f 'D:\DFIRArtifactMuseum\Windows\NTFSArtifacts\$I30\EricZimmerman\Sec\
ondDelete\$I30' --csv c:\temp
MFTECmd 108
MFTECmd Output
Analyzing MFTECmd Output - CSV

MFTECmd output provides a few important data points that are not native to NTFS metadata files
but are still very helpful to examiners.
When parsing the $MFT, output provided will contain three data points unique to MFTECmd:
mftecmd3columns
SI < FN
SI < FN can be translated to Standard Information (0x10) Attribute timestamp is less than (aka earlier
than) the File Name (0x30) Attribute timestamp. This is meant to point out a potential indicator of
timestomping occuring on the volume being analyzed. Learn more about timestomping here⁸⁸ and
here⁸⁹.
u Sec Zeros
u Sec Zeros indicates that the subseconds of a timestamp has been zeroed out. An example of a
zeroed out subsecond value would be 2022-12-34 12:34:56.0000000. Prior to being timestomped, that
timestamp likely looked similar to this: 2022-12-34 12:34:56.1234567 where the subsecond values were
not zeroed out.
⁸⁸https://www.kroll.com/en/insights/publications/cyber/anti-forensic-tactics/anti-forensics-tactics-timestomping
⁸⁹https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html
MFTECmd 109
Copied
Copied indicates that the Last Modified timestamp value occurs before the Creation timestamp
of a given file or folder. How can this be? During a file copy operation, the file being copied’s
Creation timestamp is untouched but the Last Modified timestamp will reflect the time of file copy.
This can often result in a file showing as being modified before it existed, which is impossible.
MFTECmd recognizes this and will provide an indicator in this Copied column as to whether or not
the timestamps indicate such a file copy operation may have occurred.
MFTECmd 110
Analyzing MFTECmd Output - JSON

Executing MFTECmd with JSON output enabled will provide results similar to the example below:
1 {
2 "EntryNumber": 0,
3 "SequenceNumber": 1,
4 "ParentEntryNumber": 5,
5 "ParentSequenceNumber": 5,
6 "InUse": true,
7 "ParentPath": ".",
8 "FileName": "$MFT",
9 "Extension": "",
10 "IsDirectory": false,
11 "HasAds": false,
12 "IsAds": false,
13 "FileSize": 274202624,
14 "Created0x10": "2022-03-10T19:30:21.3503859+00:00",
15 "LastModified0x10": "2022-03-10T19:30:21.3503859+00:00",
16 "LastRecordChange0x10": "2022-03-10T19:30:21.3503859+00:00",
17 "LastAccess0x10": "2022-03-10T19:30:21.3503859+00:00",
18 "UpdateSequenceNumber": 0,
19 "LogfileSequenceNumber": 960937622,
20 "SecurityId": 256,
21 "SiFlags": 6,
22 "ReferenceCount": 1,
23 "NameType": 3,
24 "Timestomped": false,
25 "uSecZeros": false,
26 "Copied": false,
27 "FnAttributeId": 3,
28 "OtherAttributeId": 6
29 },
MFTECmd 111
Analyzing MFTECmd Output - Body

Executing MFTECmd with bodyfile output enabled will provide results similar to the example below:
1 0|c:/$MFT|0-128-6|r/rrwxrwxrwx|0|0|274202624|1646940621|1646940621|1646940621|164694\
2 0621
3 0|c:/$MFT ($FILE_NAME)|0-48-3|r/rrwxrwxrwx|0|0|274202624|1646940621|1646940621|16469\
4 40621|1646940621
5 0|c:/$MFTMirr|1-128-1|r/rrwxrwxrwx|0|0|4096|1646940621|1646940621|1646940621|1646940\
6 621
7 0|c:/$MFTMirr ($FILE_NAME)|1-48-2|r/rrwxrwxrwx|0|0|4096|1646940621|1646940621|164694\
8 0621|1646940621
9 0|c:/$LogFile|2-128-1|r/rrwxrwxrwx|0|0|67108864|1646940621|1646940621|1646940621|164\
10 6940621
11 0|c:/$LogFile ($FILE_NAME)|2-48-2|r/rrwxrwxrwx|0|0|67108864|1646940621|1646940621|16\
12 46940621|1646940621
13 0|c:/$Volume|3-128-3|r/rrwxrwxrwx|0|0|0|1646940621|1646940621|1646940621|1646940621
14 0|c:/$Volume ($FILE_NAME)|3-48-1|r/rrwxrwxrwx|0|0|0|1646940621|1646940621|1646940621\
15 |1646940621
16 0|c:/$AttrDef|4-128-1|r/rrwxrwxrwx|0|0|2560|1646940621|1646940621|1646940621|1646940\
17 621
18 0|c:/$AttrDef ($FILE_NAME)|4-48-2|r/rrwxrwxrwx|0|0|2560|1646940621|1646940621|164694\
19 0621|1646940621
MFTECmd 112
MFTECmd References

• https://github.com/EricZimmerman/MFT is the C# library for parsing $MFT files
• https://github.com/EricZimmerman/MFTECmd is the Command Line wrapper for the MFT
library
Blog Posts
Official Blog Posts
• Introducing MFTECmd!⁹⁰
• MFTECmd v0.2.6.0 released⁹¹
• MFTECmd 0.3.6.0 released⁹²
Explorer (and SBECmd), and Registry Explorer (and RECmd)⁹³
Community Resources
• AboutDFIR - MFT Explorer/MFTECmd⁹⁴

• 13Cubed - NTFS Journal Forensics⁹⁵
• 13Cubed - Introduction to MFTECmd - NTFS MFT and Journal Forensics⁹⁶
• MFTECmd$J$MFTParser.ps1⁹⁷
Download MFTECmd
MFTECmd can be downloaded from https://ericzimmerman.github.io/#!index.md
NTFS Sample Data

Sample NTFS artifacts can be found at the DFIRArtifactMuseum⁹⁸.
⁹⁰https://binaryforay.blogspot.com/2018/06/introducing-mftecmd.html
⁹¹https://binaryforay.blogspot.com/2018/06/mftecmd-v0260-released.html
⁹²https://binaryforay.blogspot.com/2018/12/mftecmd-0360-released.html
⁹³https://binaryforay.blogspot.com/2019/01/locked-file-support-added-to.html
⁹⁴https://aboutdfir.com/toolsandartifacts/windows/mft-explorer-mftecmd/
⁹⁵https://www.youtube.com/watch?v=1mwiShxREm8
⁹⁶https://www.youtube.com/watch?v=_qElVZJqlGY
⁹⁷https://github.com/AndrewRathbun/DFIRPowerShellScripts/blob/main/MFTECmd%24J%24MFTParser.ps1
⁹⁸https://github.com/AndrewRathbun/DFIRArtifactMuseum/tree/main/Windows/NTFSArtifacts
PECmd
PECmd Introduction
PECmd is a tool created by Eric Zimmerman used to parse Windows Prefetch files (.pf), which can
be located at C:\Windows\Prefetch.
PECmd Use Cases
Law Enforcement
For those in Law Enforcement, this tool is useful for parsing Prefetch files which can help provide
evidence of program execution. This may be useful in situations where crimes are being investigated
that involve media players and photo viewers. Historical run times of the program can be useful in
establishing a pattern of activity relating to application use.
Private Sector
For those in the Private Sector, this tool is useful for parsing Prefetch files which can help
provide evidence of execution of suspicious applications used by a threat actor during a period
of unauthorized access.
PECmd 114
PECmd Switches
In a PowerShell window, running .\PECmd.exe will provide the following options when running
PECmd:
Description:
PECmd version 1.5.0.0

https://github.com/EricZimmerman/PECmd
Examples: PECmd.exe -f "C:\Temp\CALC.EXE-3FBEF7FD.pf"

PECmd.exe -f "C:\Temp\CALC.EXE-3FBEF7FD.pf" --json "D:\jsonOutput" --jso\
npretty
PECmd.exe -d "C:\Temp" -k "system32, fonts"
PECmd.exe -d "C:\Temp" --csv "c:\temp" --csvf foo.csv --json c:\temp\json
PECmd.exe -d "C:\Windows\Prefetch"
ands are prefixed
with two dashes
Usage:
PECmd [options]
Options:
-k <k> Comma separated list of keywords to highlight in output. By defau\
lt, 'temp' and
'tmp' are highlighted. Any additional keywords will be added to t\
hese
-o <o> When specified, save prefetch file bytes to the given path. Usefu\
l to look at
decompressed Win10 files
-q Do not dump full details about each file processed. Speeds up pro\
cessing when
using --json or --csv [default: False]
--json <json> Directory to save JSON formatted results to. Be sure to include t\
he full path
in double quotes
PECmd 115
des default
name
--csv <csv> Directory to save CSV formatted results to. Be sure to include th\
e full path in
double quotes
es default name
--html <html> Directory to save xhtml formatted results to. Be sure to include \
the full path
in double quotes
--dt <dt> The custom date/time format to use when displaying time stamps. S\
ee
https://goo.gl/CNVq0k for options [default: yyyy-MM-dd HH:mm:ss]
--mp When true, display higher precision for timestamps [default: Fals\
e]
-f or -d
[default: False]
--dedupe Deduplicate -f or -d & VSCs based on SHA-1. First file found wins\
[default:
False]

PECmd 116
Switch Descriptions
-k
This switch informs the tool to highlight a list of keywords (comma separated)
Example: .\PECmd.exe -f "C:\temp\prefetch\TIMELINEEXPLORER.EXE-959F92B3.pf" -k
timeline,explorer
Within the results, one can see the (Keyword True) appended to the end of a line where the specified
keyword appears:
19: \VOLUME{01d7b51f5d5ed7cd-b45d68a4}\USERS\CFUSER\ONEDRIVE
20: \VOLUME{01d7b51f5d5ed7cd-b45d68a4}\USERS\CFUSER\ONEDRIVE\DESKTOP
21: \VOLUME{01d7b51f5d5ed7cd-b45d68a4}\USERS\CFUSER\ONEDRIVE\DESKTOP\EZ TOOLS
22: \VOLUME{01d7b51f5d5ed7cd-b45d68a4}\USERS\CFUSER\ONEDRIVE\DESKTOP\EZ TOOLS\NET6
23: \VOLUME{01d7b51f5d5ed7cd-b45d68a4}\USERS\CFUSER\ONEDRIVE\DESKTOP\EZ TOOLS\NET6\T\
IMELINEEXPLORER (Keyword True)
-o
This switch informs the tool to output the decompressed bytes of the Prefetch file to a specified
location. Please note, this works in Windows 10 and newer as those operating systems compress
Prefetch files.
Example: .\PECmd.exe -f "C:\temp\prefetch\TIMELINEEXPLORER.EXE-959F92B3.pf" -o
D:\Prefetch
Please note, in the above example a binary file called Prefetch will be output to the root of the D:\
drive. Do not expect PECmd to output the bytes as a binary file into the D:Prefetch folder.
--mp
This switch will instruct PECmd to provide more verbose timestamps. For instance, running
.\PECmd.exe -f "C:\temp\prefetch\TIMELINEEXPLORER.EXE-959F92B3.pf" --mp resulted in the
following:
Created on: 2022-05-28 03:22:25.3924904

Modified on: 2022-07-08 12:42:40.1435546
Last accessed on: 2022-09-09 03:03:13.7696931
Running .\PECmd.exe -f "C:\temp\prefetch\TIMELINEEXPLORER.EXE-959F92B3.pf" resulted in the

following:
PECmd 117
Created on: 2022-05-28 03:22:25

Modified on: 2022-07-08 12:42:40
Last accessed on: 2022-09-09 03:03:23
--vss
Example: .\PECmd.exe -d "C:\temp\prefetch" --vss
PECmd 118
PECmd Command Examples
Example PECmd Commands
Parse a Prefetch file and output to the console window
PECmd.exe -f "C:\Temp\CALC.EXE-3FBEF7FD.pf"
Parse a Prefetch file and output to formatted JSON to a specified location
PECmd.exe -f "C:\Temp\CALC.EXE-3FBEF7FD.pf" --json "D:\jsonOutput" --jsonpretty
Parse a directory of Prefetch files and output to console window with specified
keywords highlighted in the output
PECmd.exe -d "C:\Temp" -k "system32, fonts"
Parse a directory of Prefetch and output to CSV to a specified location with the
filename foo.csv and output to JSON to a specified location
PECmd.exe -d "C:\Temp" --csv "c:\temp" --csvf foo.csv --json c:\temp\json
Parse a directory of Prefetch files
PECmd.exe -d "C:\Windows\Prefetch"
PECmd 119
PECmd Output
Analyzing PECmd Output - CSV

PECmd will output multiple CSVs with the following filenames:
%timestamp%_PECmd_Output.csv
%timestamp%_PECmd_Output_Timeline.csv
The timeline output will provide all of the entries from the PECmd output in a single timeline sorted
on the run time stored within Prefetch.
PECmd 120
Analyzing PECmd Output - JSON

Here’s an example of PECmd’s JSON output:
1 {
2 "SourceFilename": "C:\\temp\\prefetch\\TIMELINEEXPLORER.EXE-959F92B3.pf",
3 "SourceCreated": "2022-05-28 03:22:25",
4 "SourceModified": "2022-07-08 12:42:40",
5 "SourceAccessed": "2022-09-09 03:22:30",
6 "ExecutableName": "TIMELINEEXPLORER.EXE",
7 "Hash": "959F92B3",
8 "Size": "447074",
9 "Version": "Windows 10 or Windows 11",
10 "RunCount": "24",
11 "LastRun": "2022-07-08 12:42:38",
12 "PreviousRun0": "2022-06-29 17:56:46",
13 "PreviousRun1": "2022-06-28 13:06:32",
14 "PreviousRun2": "2022-06-26 02:57:37",
15 "PreviousRun3": "2022-06-22 18:12:52",
16 "PreviousRun4": "2022-06-13 20:37:15",
17 "PreviousRun5": "2022-06-11 20:57:04",
18 "PreviousRun6": "2022-06-10 17:50:59",
19 "Volume0Name": "\\VOLUME{01d7b51f5d5ed7cd-b45d68a4}",
20 "Volume0Serial": "B45D68A4",
21 "Volume0Created": "2021-09-29 10:47:14",
22 "Directories": TooManyToListHere
23 "FilesLoaded": TooManyToListHere
24 "ParsingError": false
Analyzing PECmd Output - HTML

PECmd’s JSON output will be very similar to the JSON output, except in an HTML file.
PECmd Key Takeaways

Prefetch files can store multiple run times for a single executable. This can help track historical
execution of a file of interest.
PECmd 121
PECmd References

library
Blog Posts
Official Blog Posts
• Windows Prefetch parser in C#⁹⁹

• Introducing PECmd!¹⁰⁰
• PECmd v0.6.0.0 released¹⁰¹
• PECmd, LECmd, and JLECmd updated!¹⁰²
Community Resources
• Prefetch Forensics¹⁰³
• Forensic Investigation : Prefetch File¹⁰⁴
• DFIR Playbook - Windows Forensics(WIP APR21)¹⁰⁵
Download PECmd
PECmd can be downloaded from https://ericzimmerman.github.io/#!index.md
PECmd Sample Data

Sample Prefetch artifacts can be found at the DFIRArtifactMuseum¹⁰⁶.
⁹⁹https://binaryforay.blogspot.com/2016/01/windows-prefetch-parser-in-c.html
¹⁰⁰https://binaryforay.blogspot.com/2016/01/introducing-pecmd.html
¹⁰¹https://binaryforay.blogspot.com/2016/01/pecmd-v0600-released.html
¹⁰²https://binaryforay.blogspot.com/2016/03/pecmd-lecmd-and-jlecmd-updated.html
¹⁰³https://or10nlabs.tech/prefetch-forensics/
¹⁰⁴https://www.hackingarticles.in/forensic-investigation-prefetch-file/
¹⁰⁵https://angry-bender.github.io/blog/WIP_Windows_Artefacts/#prefetch-files
¹⁰⁶https://github.com/AndrewRathbun/DFIRArtifactMuseum/tree/main/Windows/Prefetch
RBCmd
RBCmd Introduction
RBCmd is a tool created by Eric Zimmerman used to parse the SUM database. The SUM database is
located at C:\Windows\System32\LogFiles\SUM where multiple *.mdb files can be located.
RBCmd Use Cases
Law Enforcement
For those in Law Enforcement, this tool is useful for parsing Recycle Bin files which can provide
indications of what files were deleted when and by which user. This can be crucial for crimes
involving contraband multimedia files as key evidence.
Private Sector
For those in the Private Sector, this tool is useful for parsing Recycle Bin files which can provide
indications of what files a threat actor deleted before ending a period of unauthorized access. Often,
there will be indicators of threat actor tool output having been deleted by a compromised user
account within the Recycle Bin. This can help build out the timeline of events during a period of
unauthorized access
RBCmd 123
RBCmd Switches
In a PowerShell window, running .\RBCmd.exe will provide the following options when running
RBCmd:
Description:
RBCmd version 1.5.0.0

https://github.com/EricZimmerman/RBCmd
Examples: RBCmd.exe -f "C:\Temp\INFO2"

RBCmd.exe -f "C:\Temp\$I3VPA17" --csv "D:\csvOutput"
RBCmd.exe -d "C:\Temp" --csv "c:\temp"
ands are prefixed
with two dashes
Usage:
RBCmd [options]
Options:
eed up
exporting to json and/or csv
full path in
double quotes
s default name
--dt <dt> The custom date/time format to use when displaying time stamps. See
https://goo.gl/CNVq0k for options. Default is: yyyy-MM-dd HH:mm:ss\
[default:
yyyy-MM-dd HH:mm:ss]
RBCmd 124
Switch Descriptions
Thankfully, RBCmd doesn’t have any unique switches that aren’t already covered in the common
switches chapter.
RBCmd Command Examples
Example RBCmd Commands
Parse a legacy INFO2 Recycle Bin artifact and output to the console window
RBCmd.exe -f "C:\Temp\INFO2"
Parse a $I file and output to CSV to a specified location
RBCmd.exe -f "C:\Temp\$I3VPA17" --csv "D:\csvOutput"
Parse a directory of files and output to CSV to a specified location
RBCmd.exe -d "C:\Temp" --csv "c:\temp"

RBCmd 125
RBCmd Output
Analyzing RBCmd Output - Console

When running RBCmd with no specified output, you will see an entry similar to the one below for
each Recycle Bin artifact parsed:
1 Source file: C:\temp\$Recycle.Bin\S-1-5-21-868105201-2749328792-1957117261-1001\$IZU\

2 DHPA.md
3
4 Version: 2 (Windows 10/11)
5 File size: 304 (304B)
6 File name: C:\Users\CFUser\Documents\GitHub\DFIRArtifactMuseum\iOS\Address Book\iOS \
7 14.1 - Hickman\README.md
8 Deleted on: 2022-05-13 16:29:11
Analyzing RBCmd Output - CSV

When running RBCmd with CSV output, a CSV will be output with similar data that’s output to the
console.
RBCmd Key Takeaways

The Deleted On timestamp will be useful in determining when a file was deleted by a specific user.
The Recycle Bin metadata files can be tracked to a user by their SID. That way, one can attribute
which user deleted the file a given metadata file is pointing to.
RBCmd 126
RBCmd References

• https://github.com/EricZimmerman/RBCmd is the GitHub repository for RBCmd
Blog Posts
Official Blog Posts
• Quick Post: Notes on the Win10 Recycle Bin¹⁰⁷
Download RBCmd
RBCmd can be downloaded from https://ericzimmerman.github.io/#!index.md
Recycle Bin Sample Data

Sample Recycle Bin artifacts can be found at the DFIRArtifactMuseum¹⁰⁸.
¹⁰⁷https://thinkdfir.com/2018/11/23/quick-post-notes-on-the-win10-recycle-bin/
¹⁰⁸https://github.com/AndrewRathbun/DFIRArtifactMuseum/tree/main/Windows/%24Recycle.Bin
RecentFileCacheParser
RecentFileCacheParser Introduction
RecentFileCacheParser is a tool created by Eric Zimmerman used to parse the RecentFileCache. The
RecentFileCache can be located at C:\Windows\AppCompat\Programs\RecentFileCache.bcf.
RecentFileCacheParser 128
RecentFileCacheParser Switches
In a PowerShell window, running .\RecentFileCacheParser.exe will provide the following options
when running RecentFileCacheParser:
Description:
RecentFileCacheParser version 1.5.0.0

https://github.com/EricZimmerman/RecentFileCacheParser
Examples: RecentFileCacheParser.exe -f "C:\Temp\RecentFileCache.bcf" --csv "c:\tem\

p"
RecentFileCacheParser.exe -f "C:\Temp\RecentFileCache.bcf" --json "D:\js\
onOutput"
--jsonpretty
ands are prefixed
with two dashes
Usage:
RecentFileCacheParser [options]
Options:
-f <f> File to process. Required
full path in
double quotes
s default name
--json <json> Directory to save json representation to. Use --pretty for a more \
human readable
layout
--pretty When exporting to json, use a more human readable layout [default:\
False]
eed up
exporting to json and/or csv [default: False]
Switch Descriptions
Thankfully, RecentFileCacheParser doesn’t have any unique switches that aren’t already covered in
the common switches chapter.
RecentFileCacheParser Command Examples
Example RecentFileCacheParser Commands
Parse the RecentFileCache and output to CSV to a specified location
RecentFileCacheParser.exe -f "C:\Temp\RecentFileCache.bcf" --csv "c:\temp"
Parse the RecentFileCache and output to JSON to a specified location
RecentFileCacheParser.exe -f "C:\Temp\RecentFileCache.bcf" --json "D:\jsonOutput"

RecentFileCacheParser Output
Analyzing RecentFileCacheParser Output - Console

Source file: D:\DFIRArtifactMuseum\Windows\RecentFileCache\Win7\EricZimmerman\Recent\
FileCache.bcf
Source created: 2022-07-03 02:06:55
Source modified: 2022-07-03 02:06:55
Source accessed: 2022-09-09 17:11:42
File names
c:\windows\system32\werfault.exe
c:\program files\jetico\bcwipe\bcwipesvc.exe
c:\program files\jetico\bcwipe\bcwipetm.exe
c:\windows\system32\icacls.exe
c:\windows\system32\systempropertiesprotection.exe
c:\windows\bcuninstall.exe
Analyzing RecentFileCacheParser Output - CSV

When executing RecentFileCacherParser with CSV output enabled, it will output a filename similar
to the example below:
%timestamp%_RecentFileCacheParser_Output.csv
Analyzing RecentFileCacheParser Output - JSON

When executing RecentFileCacherParser with JSON output enabled, it will produce output similar
to the example below:
1 {
2 "SourceFile": "D:\\DFIRArtifactMuseum\\Windows\\RecentFileCache\\Win7\\EricZimmerma\
3 n\\RecentFileCache.bcf",
4 "SourceCreated": "\/Date(1656814015362)\/",
5 "SourceModified": "\/Date(1656814015362)\/",
6 "SourceAccessed": "\/Date(1662743665086)\/",
7 "FileNames": [
8 "c:\\windows\\system32\\werfault.exe",
9 "c:\\program files\\jetico\\bcwipe\\bcwipesvc.exe",
10 "c:\\program files\\jetico\\bcwipe\\bcwipetm.exe",
11 "c:\\windows\\system32\\icacls.exe",
12 "c:\\windows\\system32\\systempropertiesprotection.exe",
13 "c:\\windows\\bcuninstall.exe"
14 ]
15 }
RecentFileCacheParser References

• https://github.com/EricZimmerman/RecentFileCacheParser is the GitHub repository for Re-
centFileCacheParser
Download RecentFileCacheParser
RecentFileCacheParser can be downloaded from https://ericzimmerman.github.io/#!index.md
RecentFileCache Sample Data

Sample RecentFileCache artifacts can be found at the DFIRArtifactMuseum¹⁰⁹.
¹⁰⁹https://github.com/AndrewRathbun/DFIRArtifactMuseum/tree/main/Windows/RecentFileCache
RECmd
RECmd Introduction
RECmd is a tool created by Eric Zimmerman used to parse Registry hives. Registry hives are located
at C:\Windows\System32\config and contain multiple hives of interest.
RECmd Use Cases
Law Enforcement
For those in Law Enforcement, this tool is useful for parsing Registry hives which can contain a
wealth of artifacts that can be attributed to a specific user of interest. There are artifacts within
the Windows Registry that can help prove evidence of program execution, evidence of file opening,
evidence of user logon, and many more. The Registry is simply too valuable to ignore on almost any
possible criminal invesitgation.
Private Sector
For those in the Private Sector, this tool is useful for parsing Registry hives which can contain possible
indicators of threat actor persistence. Additionally, the user-attributable artifacts listed above can
be useful when targeting the activity of compromised user accounts.
RECmd Batch Files

https://github.com/EricZimmerman/RECmd/tree/master/BatchExamples
Creating RECmd Batch Files
If you are looking for guidance on how to create RECmd Batch Files, look no further than the
following resources:
• RECmd Batch Files Guide¹¹⁰

• RECmd Batch Files Template¹¹¹
Tools/KAPE: How to Contribute to and Benefit from Open Source Contributions. Click here¹¹² for a
timestamped link to the section of the presentation that relates to RECmd Batch Files.
¹¹⁰https://github.com/EricZimmerman/RECmd/blob/master/BatchExamples/!RECmdBatch.guide
¹¹¹https://github.com/EricZimmerman/RECmd/blob/master/BatchExamples/!RECmdBatch.template
¹¹²https://youtu.be/mIb1GQP3ciE?t=318
RECmd 134
RECmd Switches
In a PowerShell window, running .\RECmd.exe will provide the following options when running
RECmd:
RECmd version 2.0.0.0

https://github.com/EricZimmerman/RECmd
Note: Enclose all strings containing spaces (and all RegEx) with double quotes
Command line:
Description:
RECmd version 2.0.0.0

Note: Enclose all strings containing spaces (and all RegEx) with double quotes
Example: ``RECmd.exe --f "C:\Temp\UsrClass 1.dat" --sk URL --recover false --nl
RECmd.exe --f "D:\temp\UsrClass 1.dat" --StartDate "11/13/2014 15:35:01"
RECmd.exe --f "D:\temp\UsrClass 1.dat" --RegEx --sv "(App|Display)Name"
Usage:
RECmd [options]
Options:
-d <d> Directory to look for hives (recursively). -f or -d is requir\
ed
-f <f> Hive to search. -f or -d is required
--kn <kn> Display details for key name. Includes subkeys and values
--vn <vn> Value name. Only this value will be dumped
--bn <bn> Use settings from supplied file to find keys/values. See incl\
uded sample
file for examples
--csv <csv> Directory to save CSV formatted results to. Required when -bn\
is used
--csvf <csvf> File name to save CSV formatted results to. When present, ove\
rrides default
RECmd 135
name
--saveTo <saveTo> Saves --vn value data in binary form to file. Expects path to\
a FILE
--json <json> Export --kn to directory specified by --json. Ignored when --\
vn is specified
--jsonf <jsonf> When true, compress names for profile based hives.
--details Show more details when displaying results [default: False]
--base64 <base64> Find Base64 encoded values with size >= Base64 (specified in \
bytes)
--minSize <minSize> Find values with data size >= MinSize (specified in bytes)
--sa <sa> Search for <string> in keys, values, data, and slack
--sk <sk> Search for <string> in value record's key names
--sv <sv> Search for <string> in value record's value names
--sd <sd> Search for <string> in value record's value data
--ss <ss> Search for <string> in value record's value slack
--literal If true, --sd and --ss search value will not be interpreted a\
s ASCII or
Unicode byte strings [default: False]
--nd If true, do not show data when using --sd or --ss [default: F\
alse]
--regex If present, treat <string> in --sk, --sv, --sd, and --ss as a\
regular
expression [default: False]
--dt <dt> The custom date/time format to use when displaying time stamp\
s [default:
yyyy-MM-dd HH:mm:ss.fffffff]
--nl When true, ignore transaction log files for dirty hives [defa\
ult: False]
--recover If true, recover deleted keys/values [default: False]
--vss Process all Volume Shadow Copies that exist on drive specifie\
d by -f or -d
[default: False]
--dedupe Deduplicate -f or -d & VSCs based on SHA-1. First file found \
wins [default:
False]
--sync If true, the latest batch files from
https://github.com/EricZimmerman/RECmd/tree/master/BatchExamp\
les are
downloaded and local files updated [default: False]
RECmd 136
Switch Descriptions
--kn
This switch informs the tool to dump the full details of a provided key within the Registry.
Example: .\RECmd.exe -d "D:\DFIRArtifactMuseum\Windows\Registry\Win10\APTSimulatorVM"
--kn ROOT\ControlSet001\Control\BackupRestore\FilesNotToBackup
--vn
This switch informs the tool to dump the full details of the value name specified. Please note,
one of the following switches is required when using --vn: --sk, --sv, --sd, --ss, --kn, --Base64,
--MinSize, and --bn.

--kn "ROOT\Microsoft\Windows\CurrentVersion\Authentication\LogonUI" --vn
LastLoggedOnSAMUser
--bn
This switch informs the tool to use a specified batch file when parsing registry hives.
--bn BatchExamples\Kroll_Batch.reb --csv C:\temp
Please note, the Kroll Batch file is the most updated and actively maintained RECmd Batch file.
--saveTo
This switch informs the tool to save the binary data from a specified value name to a specified
location.
--kn "ROOT\Microsoft\Windows\CurrentVersion\Authentication\LogonUI" --vn
LastLoggedOnSAMUser --saveTo c:\temp\output
Please note, output is a binary file that can be opened in a text editor to view the contents.
--details
This switch informs the tool to display more details when displaying results.
Example: .\RECmd.exe -d "D:\DFIRArtifactMuseum\Windows\Registry" --sd VMware
RECmd 137
--base64
This switch informs the tool to search for Base64 values that are larger than the amount of bytes
specified.
Example: .\RECmd.exe -d "D:\DFIRArtifactMuseum\Windows\Registry\Win11\RathbunVM"
--base64 10
The above command provides results similar to the following:
1 Found 2 search hits with size greater or equal to 10 bytes in D:\DFIRArtifactMuseum\\

2 Windows\Registry\Win11\RathbunVM\DEFAULT (NTUSER)\NTUSER.DAT
3 Key: AppEvents\EventLabels\Notification.Default, Value: (default), Size: 26
4 Key: Control Panel\PowerCfg\PowerPolicies\2, Value: Name, Size: 26
--minSize
This switch informs the tool to search for values with a minimum size in bytes.
Example: .\RECmd.exe -d "D:\DFIRArtifactMuseum\Windows\Registry\Win11\RathbunVM"
--minSize 500
1 Found 18 search hits with size greater or equal to 500 bytes in D:\DFIRArtifactMuseu\
2 m\Windows\Registry\Win11\RathbunVM\SAM
3 Key: SAM\Domains\Account\Users\000001F4, Value: V, Size: 688
7 Key: SAM\Domains\Account\Users\000001F8, Value: SupplementalCredentials, Size: 1,168
8 Key: SAM\Domains\Account\Users\000003E9, Value: V, Size: 580
9 Key: SAM\Domains\Builtin\Aliases\00000221, Value: C, Size: 560
13 Key: SAM\Domains\Builtin\Aliases\0000022C, Value: C, Size: 564
14 Key: SAM\Domains\Builtin\Aliases\0000022F, Value: C, Size: 664
19 Key: SAM\Domains\Account\Users\000003E8, Value: V, Size: 632 (Deleted: True)
20 Key: SAM\Domains\Account\Users\000003E8, Value: SupplementalCredentials, Size: 1,552\
21 (Deleted: True)
RECmd 138
–sa‘
This switch informs the tool to search for a specified string within keys, values, data, and slack.
Example: .\RECmd.exe -d "D:\DFIRArtifactMuseum\Windows\Registry" --sa VMware
--sk
This switch informs the tool to search for a specified string within a value record’s key names.
Example: .\RECmd.exe -d "D:\DFIRArtifactMuseum\Windows\Registry" --sk VMware
1 Found 2 search hits in D:\DFIRArtifactMuseum\Windows\Registry\Win11\RathbunVM\NTUSER\

2 .DAT
3 Key: Software\VMware, Inc.
4 Key: Software\VMware, Inc.\VMware Tools
--sv
This switch informs the tool to search for a specified string within a record’s value names.
Example: .\RECmd.exe -d "D:\DFIRArtifactMuseum\Windows\Registry" --sv VMware
--sd
This switch informs the tool to search for a specified string within a value record’s value data.
Example: .\RECmd.exe -d "D:\DFIRArtifactMuseum\Windows\Registry" --sd VMware
1 Found 5 search hits in D:\DFIRArtifactMuseum\Windows\Registry\Win11\RathbunVM\SYSTEM

2 Key: ControlSet001\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFF\
3 FFFFF}\BaseContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF}, Value: SCSI\CdRom&Ven_\
4 NECVMWar&Prod_VMware_SATA_CD01\5&260e6d66&0&010000
5 Key: ControlSet001\Control\DeviceContainers\{8a1a5449-86cd-11ec-ae32-806e6f6\
6 e6963}\BaseContainers\{8a1a5449-86cd-11ec-ae32-806e6f6e6963}, Value: SCSI\Disk&Ven_N\
7 VMe&Prod_VMware_Virtual_N\5&25a13950&0&000000
8 Key: ControlSet001\Services\bam\State\UserSettings\S-1-5-21-4063860464-15085\
9 73791-632671957-1001, Value: \Device\HarddiskVolume3\Program Files\VMware\VMware Too\
10 ls\vmtoolsd.exe
11 Key: DriverDatabase\DriverPackages\vmci.inf_amd64_5e38a278d114b813\Strings, \
12 Value: loc.vmwaremanufacturer
13 Key: DriverDatabase\DriverPackages\vmci.inf_amd64_5e38a278d114b813\Strings, \
14 Value: loc.vmwarebusdevicedesc
RECmd 139
--ss
This switch informs the tool to search for a specified string within a value record’s slack.
Example: .\RECmd.exe -d "D:\DFIRArtifactMuseum\Windows\Registry" --ss VMware
The above command will provide no results.
--literal
This switch informs the tool to not interpret the specified string as ASCII or Unicode byte strings.
Example: .\RECmd.exe -d "D:\DFIRArtifactMuseum\Windows\Registry" --sd VMware --literal
--nd
This switch informs the tool to not show data when using --sd or --ss.
Example: .\RECmd.exe -d "D:\DFIRArtifactMuseum\Windows\Registry" --sd VMware --nd
--regex
This switch informs the tool to treat the specified string as a regular expression for the following
switches: --sk, --sv, --sd, and --ss.
Example: .\RECmd.exe -d "D:\DFIRArtifactMuseum\Windows\Registry" --sd
"\b(?:(?:25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\.){3}(?:25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?
--regex
The above regular expression is the IPv4 regular expression taken from here¹¹³.
--nl
This switch informs the tool to ignore replaying transaction logs.

Example: .\RECmd.exe -d "D:\DFIRArtifactMuseum\Windows\Registry" --sd VMware --nl
Please note, using this switch will provide the following message: Registry hive is dirty and
transaction logs were found in the same directory, but --nl was provided. Data may be
missing! Continuing anyways...
--recover
This switch informs the tool to attempt to recover deleted keys/values.

Example: .\RECmd.exe -d "D:\DFIRArtifactMuseum\Windows\Registry" --sd VMware --recover
¹¹³https://github.com/AndrewRathbun/DFIRRegex
RECmd 140
‘–sync‘
This switch will inform the tool to download all RECmd Batch Files from GitHub¹¹⁴ and update the
local Batch Files stored in .\RECmd\BatchExamples.
Example: “‘.RECmd.exe –sync‘
¹¹⁴https://github.com/EricZimmerman/RECmd/tree/master/BatchExamples
RECmd 141
RECmd Command Examples
Example RECmd Commands

Parse a specified file for URL within the key names without recovering deleted
keys/values and without replaying transaction logs
RECmd.exe --f "C:\Temp\UsrClass 1.dat" --sk URL --recover false --nl
Parse a specified file for specified regular expression within the value names
RECmd.exe --f "D:\temp\UsrClass 1.dat" --regex --sv "(App|Display)Name"

RECmd 142
RECmd Output
Analyzing RECmd Output - CSV

Using RECmd in batch mode is the ideal way to parse the Registry when CSV output is desired.
99% of the Windows Registry is not forensically interesting to examiners, so Batch files serve as a
filter that tells RECmd to only parse what is specified within the Batch file, and ignore the rest. This
allows for all the quick win artifacts in the Registry to be output to a single CSV output. Generally
speaking, the Description and Category columns are going to be very important when trying to
make sense of the CSV output.
An artifact will be given an accurate Description, which can be similar to UserAssist or TypedURLs,
for example. Next, an artifact will be given a Category, so UserAssist’s Category would be Program
Execution and TypedURLs would be User Activity, as an example. This allows for examiners to filter
on either the specific artifact by Description or filter by general category of artifact, such as Program
Execution, Web Browsers, System Info, and many more.
The Kroll Batch file has received the most care and curation from the DFIR community and should
be considered the de facto option when choosing a batch file for RECmd.
Analyzing RECmd Output - JSON

Dumping Registry hives to JSON can be helpful as a supplement to CSV output. Dumping from the
ROOT key to JSON will allow for the entire contents of the Registry hives parsed to be grepped
through with a program like PowerGREP.
Example: .\RECmd.exe -f C:\temp\NTUSER.dat --kn ROOT --nl false --json C:\temp\output
--jsonf NTUSER_ROOT.json
The above command will dump from the ROOT (aka topmost) key in the hive, regardless of what
it’s called, to JSON.
RECmd 143
RECmd References

• https://github.com/EricZimmerman/RECmd is the GitHub repository for RECmd
Blog Posts
Official Blog Posts
• Introducing RECmd!¹¹⁵
• RECmd 0.6.0.0 released!¹¹⁶
• RECmd 0.6.1.0 released!¹¹⁷
• Reintroducing Registry Explorer and RECmd!¹¹⁸
• Registry Explorer/RECmd 0.7.1.0 released!¹¹⁹
• Registry values starting with a NULL character¹²⁰
part)¹²¹
• Everything gets an update, Sept 2018 edition¹²²
• Registry Explorer and RECmd 1.2.0.0 released!¹²³
Explorer (and SBECmd), and Registry Explorer (and RECmd)¹²⁴
Community Resources
• AboutDFIR - Registry Explorer/RECmd¹²⁵
Download RECmd
RECmd can be downloaded from https://ericzimmerman.github.io/#!index.md
¹¹⁵https://binaryforay.blogspot.com/2015/05/introducing-recmd.html
¹¹⁶https://binaryforay.blogspot.com/2015/05/recmd-0600-released.html
¹¹⁷https://binaryforay.blogspot.com/2015/06/recmd-0610-released.html
¹¹⁸https://binaryforay.blogspot.com/2015/07/reintroducing-registry-explorer-and.html
¹¹⁹https://binaryforay.blogspot.com/2015/07/registry-explorerrecmd-0710-released.html
¹²⁰https://binaryforay.blogspot.com/2016/01/registry-values-starting-with-null.html
¹²¹https://binaryforay.blogspot.com/2018/03/updates-to-left-of-me-updates-to-right.html
¹²²https://binaryforay.blogspot.com/2018/09/everything-gets-update-sept-2018-edition.html
¹²³https://binaryforay.blogspot.com/2019/01/registry-explorer-and-recmd-1200.html
¹²⁴https://binaryforay.blogspot.com/2019/01/locked-file-support-added-to.html
¹²⁵https://aboutdfir.com/toolsandartifacts/windows/registry-explorer-recmd/
RECmd 144
Registry Sample Data

Sample Registry artifacts can be found at the DFIRArtifactMuseum¹²⁶. More can also be found here¹²⁷
for nearly every version of Windows.
¹²⁶https://github.com/AndrewRathbun/DFIRArtifactMuseum/tree/main/Windows/Registry
¹²⁷https://github.com/AndrewRathbun/VanillaWindowsRegistryHives
RLA
RLA Introduction
RLA is a tool that can be used to repair dirty Windows Registry hives. This is particularly useful
when using tools that don’t handle dirty Registry hives themselves.
RLA Use Cases

This tool is useful for replaying Registry transaction logs which will ensure you’re parsing all
possible data within a given Registry hive.
RLA 146
RLA Switches
In a PowerShell window, running .\RLA.exe will provide the following options when running
JLECmd:
rla version 2.0.0.0

Note: Enclose all strings containing spaces with double quotes
Command line:
Description:
rla version 2.0.0.0

Note: Enclose all strings containing spaces with double quotes
Example: rla.exe -f "C:\Temp\UsrClass 1.dat" --out C:\temp

rla.exe -d "D:\temp\" --out c:\temp
Usage:
rla [options]
Options:
-f <f> Hive to process. -f or -d is required
-d <d> Directory to look for hives (recursively). -f or -d is required
--out <out> Directory to save updated hives to. Only dirty hives with logs app\
lied will end
up in --out directory
--ca When true, always copy hives to --out directory, even if they aren\
't dirty.
[default: True]
--cn When true, compress names for profile based hives. [default: True]
RLA 147
Switch Descriptions
--out
This switch will output updated hives (aka dirty -> clean) to the specified directory. This will only
occur if there are dirty hives with transaction logs applied.
Example: .\rla.exe -d "D:\TODO" --out "D:\TODO\clean"
--ca
This switch will tell RLA.exe to always copy hives to the specified directory, even if they aren’t dirty.
Example: .\rla.exe -d "D:\Hives" --out "D:\Hives\clean" --ca
--cn
This switch will compress the names for profile-based hives.

Example: .\rla.exe -d "D:\Hives\NTUser" --out "D:\Hives\clean" --cn
RLA Command Examples
Example RLA Commands

Replay transaction logs from a specific Registry hive and output the clean
Registry hive to a specified location
rla.exe -f "C:\Temp\UsrClass 1.dat" --out C:\temp
Replay transaction logs from a directory or Registry hives and output the clean
Registry hives to a specified location
rla.exe -d "D:\temp\" --out c:\temp
RLA References
Download RLA
RLA can be downloaded from https://ericzimmerman.github.io/#!index.md
SBECmd
SBECmd Introduction
SBECmd is a tool created by Eric Zimmerman used to parse the NTUSER.dat and UsrClass.dat
Registry hives. These hives contains shell items that are recorded by Windows which indicate which
folders a user has traversed.
SBECmd Use Cases
Law Enforcement
For those in Law Enforcement, this tool is useful for parsing the NTUser.dat and UsrClass.dat user
Registry hives which will contain artifacts of folder traversal. Since the NTUser.dat and UsrClass.dat
Registry hives exist for each user, one can attribute the folder traversal artifacts to a specific account.
For Law Enforcement, these artifacts may provide pointers to folders or ZIP files that no longer exist.
This artifact will provide the first and last time the specific user interacted with a specific folder or
ZIP file, in most cases.
Private Sector
For those in the Private Sector, this tool is useful for enumerating what a user of interest did during
unauthorized access to a given host. Often, artifacuts during periods of unauthorized access will
show the threat actor accessing and viewing files and folders that are highly sensitive to the client’s
business.
SBECmd 149
SBECmd Switches
In a PowerShell window, running .\SBECmd.exe will provide the following options when running
SBECmd:
Description:
SBECmd version 2.0.0.0

https://github.com/EricZimmerman
Examples: SBECmd.exe -d c:\temp\hives --csv c:\temp\sbeout

SBECmd.exe -d c:\temp\hives --csv c:\temp\sbeout --tz "US Eastern Standa\
rd Time"
SBECmd.exe -d c:\temp\hives --csv c:\temp\sbeout --dedupe
ands are prefixed
with two dashes
Usage:
SBECmd [options]
Options:
-d <d> Directory to look for registry hives. This or -l is required
-l Process live registry (Requires Administrator rights). This or -d \
is required
[default: False]
--csv <csv> Directory to save CSV formatted results to. This or --json require\
d unless --de
s default name
--dedupe When true, SBECmd processes all hives in -d <directory> and remove\
s duplicates.
See manual for details [default: False]
--nl When true, ignore transaction log files for dirty hives [default: \
False]
SBECmd 150

-d or -l required. Exiting
Switch Descriptions
-l
This switch will inform SBECmd to process the live user Registry hives.
Example: .\SBECmd.exe -l --csv D:\temp\sbecmd
The above command will output a filename similar to this: YYYYMMDD_HHMMSS_hostname_LIVE_-
REGISTRY.csv
-nl
This switch will inform the tool whether to replay transaction logs or not.
Below is an exmaple of replaying transaction logs:
Example: .\SBECmd.exe -d "D:\temp\hives" --nl false --csv "D:\temp"
When processing transaction logs, you will see a message similar to this:
Two transaction logs found. Determining primary log...

Primary log: D:\temp\hives\SYSTEM.LOG2, secondary log: D:\temp\hives\SYSTEM.LOG1
Replaying log file: D:\temp\hives\SYSTEM.LOG2
Replaying log file: D:\temp\hives\SYSTEM.LOG1
At least one transaction log was applied. Sequence numbers have been updated to 0x91\
DD. New Checksum: 0xAD729723
Found 1,024 cache entries for Windows10Creators in ControlSet001
Below is an example of ignoring transaction logs:

Example: .\SBECmd.exe -d "D:\temp\hives" --nl true --csv "D:\temp"
When ignoring transaction logs, you will see a message similar to this:
SBECmd 151
Registry hive is dirty and transaction logs were found in the same directory, but --\
nl was provided. Data may be missing! Continuing anyways...
Sequence numbers do not match! Hive is dirty and the transaction logs should be revi\
ewed for relevant data!
Found 1,024 cache entries for Windows10Creators in ControlSet001
SBECmd 152
SBECmd Command Examples
Example SBECmd Commands
Parse offline user Registry hives and output to CSV to a specified location
SBECmd.exe -d c:\temp\hives --csv c:\temp\sbeout
Parse offline user Registry hives and output to CSV to a specified location with
timestamps adjusted to a specified timezone
SBECmd.exe -d c:\temp\hives --csv c:\temp\sbeout --tz "US Eastern Standard Time"
#### Parse offline user Registry hives and output to CSV to a specified location with deduplicated
output
SBECmd.exe -d c:\temp\hives --csv c:\temp\sbeout --dedupe

SBECmd 153
SBECmd Output
Analyzing SBECmd Output - CSV

When executing SBECmd with CSV output enabled, it will output filenames similar to the examples
below:
Username_NTUSER.csv
Username_usrClass.csv
If the system you’re analzying has had 100 users who have traversed directories at some point in
time, you should see 200 CSVs for your output!
SBECmd Key Takeaways
FirstInteracted and LastInteracted
THe FirstInteracted timestamp for a shell item will provide you with the timestamp of the first time
a given user had traversed a directory within Windows. The LastInteracted timestamp for a shell
item will provide you with the last time a given user had traversed a directory within Windows.
There are no timestamps for in between those two bookends within this artifact.
SBECmd 154
SBECmd References
Blog Posts
Official Blog Posts
• ShellBags Explorer v0.5.2.0 released!¹²⁸

• ShellBags Explorer 0.5.4.0 released!¹²⁹
• A few updates¹³⁰
• ShellBags Explorer v0.8.0.0 released!¹³¹
• ShellBags Explorer 0.9.5.0 released!¹³²
• A fluery of updates!¹³³
Explorer (and SBECmd), and Registry Explorer (and RECmd)¹³⁴
Download SBECmd
SBECmd can be downloaded from https://ericzimmerman.github.io/#!index.md
Shellbags Sample Data

Sample Shellbags (NTUser.dat and UsrClass.dat) artifacts can be found at the DFIRArtifactMu-
seum¹³⁵.
¹²⁸https://binaryforay.blogspot.com/2015/02/shellbags-explorer-v0520-released.html
¹²⁹https://binaryforay.blogspot.com/2015/02/shellbags-explorer-0540-released.html
¹³⁰https://binaryforay.blogspot.com/2015/08/a-few-updates.html
¹³¹https://binaryforay.blogspot.com/2017/01/shellbags-explorer-v0800-released.html
¹³²https://binaryforay.blogspot.com/2017/09/shellbags-explorer-0950-released.html
¹³³https://binaryforay.blogspot.com/2018/05/a-fluery-of-updates.html
¹³⁴https://binaryforay.blogspot.com/2019/01/locked-file-support-added-to.html
¹³⁵https://github.com/AndrewRathbun/DFIRArtifactMuseum/tree/main/Windows/Registry
SQLECmd
SQLECmd Introduction
SQLECmd is a tool created by Eric Zimmerman used to parse SQLite databases. SQLite databases
will only be parsed if a Map exists for that specific SQLite database.
SQLECmd Use Cases
Law Enforcement
For those in Law Enforcement, this tool is useful for parsing SQLite databases which often store
common web browser artifacts. SQLECmd can provide as a validation tool to many commonly used
forensic suites that parse browsing history, as well. The SQLite queries are available on GitHub and
can be modified by the community if ever the database schema evolves enough to where current
SQLite queries do not work any longer. Additionally, this tool can be used to parse mobile artifacts
which can serve as a validation tool for common mobile forensic suites.
Private Sector
For those in the Private Sector, this tool is useful for parsing SQLite databases which often store
common web browser artifacts.
SQLECmd Maps
https://github.com/EricZimmerman/SQLECmd/tree/master/SQLMap/Maps
Creating SQLECmd Maps
If you are looking for guidance on how to create SQLECmd Maps, look no further than the following
resources:
• SQLECmd Maps Guide¹³⁶

• SQLECmd Maps Template¹³⁷
Tools/KAPE: How to Contribute to and Benefit from Open Source Contributions. Click here¹³⁸ for a
timestamped link to the section of the presentation that relates to SQLECmd Maps.
¹³⁶https://github.com/EricZimmerman/SQLECmd/blob/master/SQLMap/Maps/!OS_Application_OptionalDescription.guide
¹³⁷https://github.com/EricZimmerman/SQLECmd/blob/master/SQLMap/Maps/!OS_Application_OptionalDescription.template
¹³⁸https://youtu.be/mIb1GQP3ciE?t=682
SQLECmd 156
SQLECmd Switches
In a PowerShell window, running .\SQLECmd.exe will provide the following options when running
JLECmd:
Description:
SQLECmd version 1.0.0.0

https://github.com/EricZimmerman/SQLECmd
Examples: SQLECmd.exe -f "C:\Temp\someFile.db" --csv "c:\temp\out"

SQLECmd.exe -d "C:\Temp\" --csv "c:\temp\out"
SQLECmd.exe -d "C:\Temp\" --hunt --csv "c:\temp\out"
ands are prefixed
with two dashes
Usage:
SQLECmd [options]
Options:
-f <f> File to process. This or -d is required
-d <d> Directory to process that contains SQLite files. This or -f is req\
uired
--csv <csv> Directory to save CSV formatted results to
--json <json> Directory to save JSON formatted results to
--dedupe Deduplicate -f or -d files based on SHA-1. First file found wins [\
default: True]
--hunt When true, all files are looked at regardless of name and file hea\
der is used to
identify SQLite files, else filename in map is used to find databa\
ses [default:
False]
--maps <maps> The path where event maps are located. Defaults to 'Maps' folder w\
here program
was executed [default: C:\Users\CFUser\OneDrive - Kroll\Desktop\EZ
Tools\net6\SQLECmd\Maps]
--sync If true, the latest maps from
https://github.com/EricZimmerman/SQLECmd/tree/master/SQLMap/Maps a\
re downloaded
SQLECmd 157
and local maps updated [default: False]

-f or -d is required. Exiting
Switch Descriptions
‘–hunt‘
This switch informs the tool to hunt for SQLite databases. This is useful due to SQLite databases
often having inconsistent file extensions (or sometimes none at all). This switch will search for the
file header for SQLite databases and inform examiners which files are SQLite databases. Please note,
only those databases that have Maps made for them will be parsed.
Example: .\SQLECmd.exe -d "D:\DFIRArtifactMuseum\Windows" --csv C:\temp --hunt
SQLECmd will display the following message when a SQLite file is not found:
D:\DFIRArtifactMuseum\Windows\SRUM\Win10\RathbunVM\Clean\SRU00004.log is not a SQLite
file! Skipping...
SQLECmd will display the following message when a SQLite file is found:
Processing D:\DFIRArtifactMuseum\Windows\WindowsTimeline\Win10\APTSimulatorVM\ActivitiesCache.db...
‘–maps‘
This switch will inform the tool to look for SQLECmd Maps at a specified location other than
.\SQLECmd\Maps.
Example: .\SQLECmd.exe -d "D:\sql" --csv "D:\sql" --maps "D:\Maps"
‘–sync‘
This switch will inform the tool to download all SQLECmd Maps from GitHub¹³⁹ and update the
local Maps stored in .\SQLECmd\Maps.
Example: .\SQLECmd.exe --sync
¹³⁹https://github.com/EricZimmerman/SQLECmd/tree/master/SQLMap/Maps
SQLECmd 158
SQLECmd Command Examples
Example SQLECmd Commands
Parse someFile.db and output to CSV to a specified location
SQLECmd.exe -f "C:\Temp\someFile.db" --csv "c:\temp\out"
Parse SQLite databases located within C:\Temp and output to CSV to a specified
location
SQLECmd.exe -d "C:\Temp\" --csv "c:\temp\out"
Hunt for SQLite Databases recursively in a specified directory and output CSVs
of any mapped databases to a specified location
SQLECmd.exe -d "C:\Temp\" --hunt --csv "c:\temp\out"
The --hunt command will inform you as to which files are SQLite databases! This is very helpful
when searching for new SQLite databases to research.
SQLECmd 159
SQLECmd References

• https://github.com/EricZimmerman/SQLECmd is the GitHub repository for SQLECmd
Download SQLECmd
SQLECmd can be downloaded from https://ericzimmerman.github.io/#!index.md
SQLite Sample Data

Sample SQLite databases can be found at the DFIRArtifactMuseum¹⁴⁰ in the Android and Windows
directories.
¹⁴⁰https://github.com/AndrewRathbun/DFIRArtifactMuseum
SrumECmd
SrumECmd Introduction
SrumECmd is a tool created by Eric Zimmerman used to parse the SRUM database. The SRUM
database is located at C:\Windows\System32\sru\SRUDB.dat and serves as the backend for Windows
Task Manager.
SrumECmd Use Cases
Law Enforcement
For those in Law Enforcement, this tool is useful for parsing the SRUM database which can provide
another source of program execution for media players, photo viewers, etc. Additionally, being able
to see Bytes Read and Bytes Written by various programs may help provide insight as to the size
of files certain applications were handling. This may be important relating to crimes involving
contraband multimedia files. Additionally, for P2P cases, Bytes Sent and Bytes Received artifacts
can prove to be crucial datapoints for the purpose of the investigation.
Private Sector
For those in the Private Sector, this tool is useful for parsing the SRUM database which can provide
another source of program execution for potentially malicious executables. Additionally, Bytes Sent
and Bytes Received can sometimes be the only indicator of data exfiltration in the instance of a
ransomware case. If a case is known to involve data exfiltration, the SRUM database should be a
mandatory artifact to parse and analyze so long as the suspected data exfiltration occurred within
the 30 days of when the SRUM database was parsed.
SrumECmd 161
SrumECmd Switches
In a PowerShell window, running .\SrumECmd.exe will provide the following options when running
JLECmd:
Description:
SrumECmd version 0.5.1.0

https://github.com/EricZimmerman/Srum
Examples: SrumECmd.exe -f "C:\Temp\SRUDB.dat" -r "C:\Temp\SOFTWARE" --csv "C:\Temp\

\"
SrumECmd.exe -f "C:\Temp\SRUDB.dat" --csv "c:\temp"
SrumECmd.exe -d "C:\Temp" --csv "c:\temp"
ands are prefixed
with two dashes
Usage:
SrumECmd [options]
Options:
-f <f> SRUDB.dat file to parse
-r <r> SOFTWARE hive to process. This is optional, but recommended
-d <d> Directory to recursively process, looking for SRUDB.dat an\
d SOFTWARE
hive. This mode is primarily used with KAPE so both SRUDB.\
dat and
SOFTWARE hive can be located
lude the full
path in double quotes
amps. See
https://goo.gl/CNVq0k for options
[default: yyyy-MM-dd HH:mm:ss]
SrumECmd 162
Switch Descriptions
-r
This switch informs the tool to parse a SOFTWARE Registry hive at a specified location. This is
beneficial because applications referenced in the SRUM database can be resolved using data stored
within the SOFTWARE Registry hive for better results.
Example: .\SrumECmd.exe -d "C:\temp\SRUMdb" -r "C:\temp\SOFTWAREhive" --csv
"C:\temp\SRUMoutput
Please note, that using the -d switch against a directory where a SRUM database and a SOFTWARE
Registry hive resides within the subdirectories, SrumECmd will find both without needing to utilize
the -r switch to specifically point to the SOFTWARE Registry hive.
Example: .\SrumECmd.exe -d "C:\temp\KapeTriage\tout\C" --csv "C:\temp\SRUMoutput"
SrumECmd 163
SrumECmd Command Examples
Example SrumECmd Commands

Parse a SRUM database at a specified location and a SOFTWARE Registry hive
at a specified location and output to CSV to a specified location
SrumECmd.exe -f "C:\Temp\SRUDB.dat" -r "C:\Temp\SOFTWARE" --csv "C:\Temp\"
Parse a SRUM database and output to CSV to a specified location
SrumECmd.exe -f "C:\Temp\SRUDB.dat" --csv "c:\temp"
Process a specified location looking for a SRUM database and/or SOFTWARE

Registry hive to parse and output to CSV to a specified location
SrumECmd.exe -d "C:\Temp" --csv "c:\temp"

SrumECmd 164
SrumECmd Output
Analyzing SrumECmd Output - CSV

SrumECmd will produce the following CSVs:
• %timestamp%_SrumECmd_AppResourceUseInfo_Output.csv
• %timestamp%_SrumECmd_EnergyUsage_Output.csv
• %timestamp%_SrumECmd_NetworkConnections_Output.csv
• %timestamp%_SrumECmd_NetworkUsages_Output.csv
• %timestamp%_SrumECmd_PushNotifications_Output.csv
• %timestamp%_SrumECmd_Unknown312_Output.csv
• %timestamp%_SrumECmd_UnknownD8F_Output.csv
%timestamp% will look something similar to this: 20220904032628
%timestamp%_SrumECmd_AppResourceUseInfo_Output.csv
This output can be useful for seeing which applications were running at a given time.
%timestamp%_SrumECmd_NetworkUsages_Output.csv
This output can be useful for seeing which applications were sending and receiving data. This is
helpful in Incident Response engagements where data exfiltration is an important part of the mission
for examiners.
SrumECmd 165
SrumECmd Sample Data

Sample SRUM database artifacts can be found at the DFIRArtifactMuseum¹⁴¹.
¹⁴¹https://github.com/AndrewRathbun/DFIRArtifactMuseum/tree/main/Windows/SRUM
SrumECmd 166
SrumECmd References

• https://github.com/EricZimmerman/Srum is the GitHub repository for SrumECmd
Blog Posts
Community Resources
• AboutDFIR - App Timeline Provider – SRUM Database¹⁴²
Download SrumECmd
SrumECmd can be downloaded from https://ericzimmerman.github.io/#!index.md
SRUM Sample Data

Sample SRUM artifacts can be found at the DFIRArtifactMuseum¹⁴³.
¹⁴²https://aboutdfir.com/app-timeline-provider-srum-database/
¹⁴³https://github.com/AndrewRathbun/DFIRArtifactMuseum/tree/main/Windows/SRUM
SumECmd
SumECmd Introduction
SumECmd is a tool created by Eric Zimmerman used to parse the SUM database. The SUM database
is located at C:\Windows\System32\LogFiles\SUM where multiple *.mdb files can be located.
SumECmd Use Cases
Law Enforcement
For those in Law Enforcement, SumECmd may not have an immediate use unless the system(s)
being analyzed is attached to a domain. The SUM database can provide authentication history
within a Domain, IP resolution within the Domain, and the first and last time an account has been
authenticated within a Domain.
Private Sector
For those in the Private Sector, SumECmd can provide helpful information regarding which
compromised accounts have authenticated where and when within a Domain. Additionally, having
visibility into the DNS history of a Domain for the current year and previous 2 years is incredibly
helpful when trying to figure out which IP address resolved to which host when.
SumECmd 168
SumECmd Switches
In a PowerShell window, running .\SumECmd.exe will provide the following options when running
SumECmd:
Description:
SumECmd version 0.5.2.0

https://github.com/EricZimmerman/Sum
Examples: SumECmd.exe -d "C:\Temp\sum" --csv "C:\Temp\"
Short options (single letter) are prefixed with a single dash. Long com\
mands are
Usage:
SumECmd [options]
Options:
-d <d> Directory to process, looking for SystemIdentity.mdb, Current.mdb,\
etc.
Required.
full
--wd Generate CSV with day level details. Default is TRUE [default: Tru\
e]
-d is required. Exiting
SumECmd 169
Switch Descriptions
--wd
This switch will generate CSVs with day level details. This means an extra CSV will be generated
named TIMESTAMP_SumECmd_DETAIL_ClientsDetailed_Output.csv. When running SumECmd with
--wd false, this CSV will not generate.
Example: .\SumECmd.exe -d "D:\Test\SUM" --csv "D:\temp" --wd
SumECmd Command Examples
Example SumECmd Commands
Parse the SUM database and output CSVs to a specified location
SumECmd.exe -d "C:\Temp\sum" --csv "C:\Temp\"

SumECmd 170
SumECmd Output
Analyzing SumECmd Output - CSV

SumECmd will output the following CSVs when ran against a Domain Controller’s SUM database
with the ADDS (Active Directory Domain Services) role assigned to it:
%timestamp%_SumECmd_DETAIL_Clients_Output.csv
%timestamp%_SumECmd_DETAIL_ClientsDetailed_Output.csv
%timestamp%_SumECmd_DETAIL_DnsInfo_Output.csv
%timestamp%_SumECmd_DETAIL_RoleAccesses_Output.csv
%timestamp%_SumECmd_SUMMARY_ChainedDbInfo_Output.csv
%timestamp%_SumECmd_SUMMARY_RoleInfos_Output.csv
%timestamp%_SumECmd_SUMMARY_SystemIdentInfo_Output.csv
If a Domain Controller does NOT have the ADDS role assigned to it, you will still see the above
output, but you likely will not see the DnsInfo output.
%timestamp%_SumECmd_DETAIL_Clients_Output.csv
This output is useful for helping examiners observe which accounts authenticated where within a
given domain. Insert Date and Last Access can be interpreted as the first and last time an account
authenticated to the IP Address listed in the column of the same name.
%timestamp%_SumECmd_DETAIL_ClientsDetailed_Output.csv
This output will provide a different look at the most of the same info from the output mentioned
above. Between this output and the above output, examiners can glean good insight as to which
accounts authenticated where, when, and how many times along with an idea of when the first and
last authentication occurred.
%timestamp%_SumECmd_DETAIL_DnsInfo_Output.csv
This output is incredibly useful for providing the examiner with historical DNS information within
the domain. If an examiner needs to know which host a certain IP address resolves to within a
domain, first locate a Domain Controller that has the ADDS role assigned (often trial and error) and
locate this table’s output!
As a protip, in Timeline Explorer, sort ascending on the hostname and then secondary sort (hold
down shift while clicking on the next column you want to sort on) on Last Seen. This will give you
a great overview of which hosts had which IP addresses when.
%timestamp%_SumECmd_DETAIL_RoleAccesses_Output.csv
This output will provide examiners with an idea of which roles were assigned to the Windows Server
endpoints within a given domain along with their Role GUIDs.
SumECmd 171
%timestamp%_SumECmd_SUMMARY_ChainedDbInfo_Output.csv
This output will provide examiners with an idea of which calendar years are covered within the SUM
database for a Domain Controller within a given domain. Please note, that the second a Domain
Controller connects to a domain for the first time, it will only have information from that point
forward. It will not inherit historical information within the domain prior to the time of host coming
online within the domain.
SumECmd References

• https://github.com/EricZimmerman/Sum is the GitHub repository for SumECmd
Blog Posts
Community Resources
• A new type of User access log¹⁴⁴

• Windows User Access Logs (UAL)¹⁴⁵
Download SumECmd
SumECmd can be downloaded from https://ericzimmerman.github.io/#!index.md
SUM Sample Data

Sample SUM artifacts can be found at the DFIRArtifactMuseum¹⁴⁶.
¹⁴⁴https://advisory.kpmg.us/blog/2021/digital-forensics-incident-response.html
¹⁴⁵https://svch0st.medium.com/windows-user-access-logs-ual-9580f1100635
¹⁴⁶https://github.com/AndrewRathbun/DFIRArtifactMuseum/tree/main/Windows/SUM
VSCMount
VSCMount Introduction
VSCMount is a tool created by Eric Zimmerman used to mount Volume Shadow Copies (VSCs).
Volume Shadow Copies can be used to uncover artifacts that no longer reside on the computer.
VSCMount Use Cases
Law Enforcement
For those in Law Enforcement, VSCs may provide access to files that no longer currently exist on
the forensic image being analyzed. Taking advantage of VSCs may provide more evidence for an
investigation.
Private Sector
For those in the Private Sector, VSCs may provide more visibility into historical artifacts within
event logs, Registry hives, and NTFS metadata files. These are common sources for quick wins that
are often subject to data rolling over, si the more visibility, the better.
VSCMount 173
VSCMount Switches
In a PowerShell window, running .\VSCMount.exe will provide the following options when running
JLECmd:
Description:
VSCMount version 1.5.0.0

https://github.com/EricZimmerman/VSCMount
Examples: VSCMount.exe --dl C --mp C:\VssRoot --ud --debug
ands are
Usage:
VSCMount [options]
Options:
--dl <dl> Source drive to look for Volume Shadow Copies (C, D:, or F:\ for e\
xample)
--mp <mp> The base directory where you want VSCs mapped to
--ud Use VSC creation timestamps (yyyyMMddTHHmmss.fffffff) in symbolic \
link
names [default: True]
--dl is required. Exiting

VSCMount 174
Switch Descriptions
--dl
This switch will allow for the examiner to specify which drive letter to search for Volume Shadow
Copies to be mounted. In the below example, a folder will be created at the root of the C:\ drive
labeled vssroot_C and the following folders will be created, as an example:
• vss067-20220802T071544.8950680
• vss069-20220802T111643.1360760
• vss073-20220802T151751.7332050
• vss075-20220802T191857.4091500
• vss077-20220802T231954.8229610
• vss079-20220803T145849.8753330
• vss081-20220803T154303.5886250
• vss082-20220803T185949.1160530
• vss084-20220804T122438.3318770
• vss085-20220804T125916.5830320
• vss087-20220804T170016.7516520
• vss089-20220805T002628.8687860
Example: .\VSCMount.exe --dl C --mp C:\vssroot
--mp
This switch will allow for the examiner to specify the directory in which the Volume Shadow Copies
found with the --dl switch will be mounted to for easy access.
Example: .\VSCMount.exe --dl C --mp C:\vssroot
--ud
This switch will use the creation timestamps (yyyyMMddTHHmmss.fffffff) in symbolic link names.
Given that the default is true, if you run the below command, you will find the following output
compared to the exmaple listed above for the --dl switch:
• vss067
• vss069
• vss073
• vss075
• vss077
• vss079
• vss081
VSCMount 175
• vss082
• vss084
• vss085
• vss087
• vss089
Example: .\VSCMount.exe --dl C --mp C:\vssroot --ud false

VSCMount 176
VSCMount Command Examples
Example VSCMount Commands

Mount VSCs from the C:\ drive and map them to a specified directory while
using VSC creation timestamps in symbolic link names with debug messages
enabled
.\VSCMount.exe --dl C --mp C:\VssRoot --ud --debug
VSCMount References

• https://github.com/EricZimmerman/VSCMount is the GitHub repository for VSCMount
Blog Posts
Official Blog Posts
• Introducing VSCMount¹⁴⁷
Download VSCMount
VSCMount can be downloaded from https://ericzimmerman.github.io/#!index.md
¹⁴⁷https://binaryforay.blogspot.com/2018/09/introducing-vscmount.html
WxTCmd
WxTCmd Introduction
WxTCmd is a tool created by Eric Zimmerman used to parse the Windows Timeline¹⁴⁸.
The Windows Timeline feature was added to Windows 10 with the 1804 (April
2018) feature update. The Windows Timeline can be found at the following location:
C:\Users\%User%\AppData\Local\ConnectedDevicesPlatform\L.CFUser\ActivitiesCache.db.
WxTCmd Use Cases
Law Enforcement
For those in Law Enforcement, this tool is useful for parsing Windows Timeline artifacts which
can provide program execution activity that can be attributed to a specific user account. This can
be useful for providing attribution of activity for various crimes involving media players, photo
viewers, etc. Establish which Windows account the suspect was using during the time of interest
and see what this artifact can provide to you.
Private Sector
For those in the Private Sector working ransomware cases, this tool is useful for parsing Windows
Timeline artifacts which can provide program execution activity that can be attributed to a specific
user account. For instance, an account compromised by a threat actor may have useful artifacts
within the user of interest’s Windows Timeline.
For insider threat cases, this artifact can provide useful program execution artifacts that can be
attributed to a specific user of interest. Any applications used by the user during the timeframe
of interest may be recorded here so long as the events occurred within 30 days of acquiring the
Windows Timeline artifact.
¹⁴⁸https://support.microsoft.com/en-us/windows/get-help-with-timeline-febc28db-034c-d2b0-3bbe-79aa0c501039
WxTCmd 178
WxTCmd Switches
In a PowerShell window, running .\WxTCmd.exe will provide the following options when running
JLECmd:
Description:
WxTCmd version 1.0.0.0

https://github.com/EricZimmerman/WxTCmd
Examples: WxTCmd.exe -f
"C:\Users\eric\AppData\Local\ConnectedDevicesPlatform\L.eric\ActivitiesCache.db" -\
-csv
c:\temp
Database files are typically found at

'C:\Users\<profile>\AppData\Local\ConnectedDevicesPlatform\L.<profile>\ActivitiesC\
ache.db'
ands are
Usage:
WxTCmd [options]
Options:
-f <f> File to process. Required
full
--dt <dt> The custom date/time format to use when displaying timestamps. See
WxTCmd 179
Switch Descriptions
Thankfully, WxTCmd doesn’t have any unique switches that aren’t already covered in the common
switches chapter.
WxTCmd Command Examples
Example WxTCmd Commands
Parse the Windows Timeline and Output to CSV to a Specified Location
WxTCmd.exe -f "C:\Users\eric\AppData\Local\ConnectedDevicesPlatform\L.eric\Activitie\
sCache.db" --csv c:\temp
WxTCmd Output
Analyzing WxTCmd Output - CSV
‘%timestamp%_Activity_PackageIDs.csv‘
This CSV will contain GUIDs of applications that were executed on disk. Generally speaking, this
CSV is not going to be as useful as the CSV highlighted below.
‘%timestamp%__Activity.csv
This CSV will contain the Start Time and End Time of an application’s execution by a given user. This
database is user specific, so this activity can be associated with a specific user account. Additionally,
there is a JSON payload for each entry within the Windows Timeline SQLite database that may
provide further context for an entry within the database.
WxTCmd 180
WxTCmd Key Takeaways
Timestamps
WxTCmd will output the following timestamps of interest:

* StartTime - The timestamp of when the user opened an application
* EndTime - The timestamp of when the user closed an application
WxTCmd 181
WxTCmd References

• https://github.com/EricZimmerman/WxTCmd is the GitHub repo for WxTCmd
Blog Posts
Official Blog Posts
Blog posts from Eric Zimmerman’s blog, Binary Foray¹⁴⁹:
• Introducing WxTCmd!¹⁵⁰
Community Resources
• Windows Timeline: Putting the what & when together¹⁵¹

• Windows 10 Timeline Feature¹⁵²
• Some thoughts about Windows 10 “Timeline” forensics artifacts¹⁵³
• Windows Artifacts for Forensics Investigation¹⁵⁴
Download WxTCmd
WxTCmd can be downloaded from https://ericzimmerman.github.io/#!index.md
Windows Timeline Sample Data

Sample Windows Timeline artifacts can be found at the DFIRArtifactMuseum¹⁵⁵.
¹⁴⁹https://binaryforay.blogspot.com/
¹⁵⁰https://binaryforay.blogspot.com/2018/05/introducing-wxtcmd.html
¹⁵¹https://niiconsulting.com/checkmate/2021/10/windows-timeline-putting-the-what-when-together/
¹⁵²https://www.datadigitally.com/2019/04/windows-10-timeline-feature.html
¹⁵³https://andreafortuna.org/2019/10/03/some-forensic-thoughts-about-windows-10-timeline/
¹⁵⁴https://tajdini.net/blog/forensics-and-security/windows-artifacts-for-forensics-investigation/
¹⁵⁵https://github.com/AndrewRathbun/DFIRArtifactMuseum/tree/main/Windows/WindowsTimeline
EZ Tools - GUI
EZViewer
EZViewer Introduction
EZViewer is a standalone, zero dependency viewer for .doc, .docx, .xls, .xlsx, .txt, .log, .rtf, .otd, .htm,
.html, .mht, .csv, and .pdf. Any non-supported files are shown in a hex editor (with data interpreter!).
Please note, this tool is read only and therefore cannot edit any files!
EZViewer Use Cases
Law Enforcement
For those in Law Enforcement, this tool is useful for bringing on site to a search warrant and not
having to worry about having a certain application to open a certain file type.
Private Sector
For those in the Private Sector, this tool is useful for bringing on site to a client engagement and not
having to worry about having a certain application to open a certain file type.
EZViewer 184
EZViewer Screenshot
EZViewer Key Takeaways

EZViewer is a great tool to have on your flash drive when you’re on site at a search warrant or at
a client’s site. There is no need to deal with Microsoft Office. Just use EZViewer in all of its fully
portable glory so you can view those files without any of the first-party dependencies!
Pro-tip: hold down control and scroll with your mouse wheel to zoom in and out.
As stated above, you can open any file in EZViewer! If it’s not supported, it’ll open in hex view, as
seen below:
EZViewer 185
Supported file formats like Word (.docx) will appear as such:

EZViewer 186
EZViewer References
Download EZViewer
EZViewer can be downloaded from https://ericzimmerman.github.io/#!index.md
Hasher
Hasher Introduction
Hasher is a tool created by Eric Zimmerman used to generate hash values for files and/or folders.
Hasher Screenshot
Hasher 188
Hasher Features
Hasher can generate hash values for a single file or a folder of files, as seen below.
Hasher Options
Hasher provides examiners with multiple options in the Tools -> Options menu.
Hasher 189
Within these options, examiners can choose which hash algorithms Hasher should calculate, how
many worker threads, the default save path, default file delimiter, and other settings.
These settings will be saved within a Hasher.ini settings file.
Hasher Settings
Below is an example of Hasher.ini.
Hasher 190
1 [General]
2 DefaultSavePath =
3 AutoSaveResults = False
4 FileDelimiter = Tab
5 ClearResultsBetweenRuns = False
6 MAXThreads = 10
7 [Algorithms]
8 MD5 = True
9 SHA1b32 = True
10 SHA1b16 = False
11 MD4 = False
12 Tiger = False
13 Whirlpool = False
14 SHA-256 = False
15 SHA-512 = False
16 RipeMD-256 = False
17 eMule = False
18 CRC32 = False
19 [Theme]
20 Theme = Visual Studio 2013 Blue
Hasher 191
Exporting Hasher Results

Once files/folders have been hashed in Hasher, examiners can export the results to multiple formats.
Hasher 192
Exporting to .txt will provide an output file named similarly to 2022-11-12-222212-HasherResults.txt.

Below is an example of Hasher output.
1 File name SHA1 base32 MD5

2 D:\ZimmermanTools\PECmd.exe Z5AODWE3HRXUWLJMJBEMFVXGK7APOAQU 1AFED4AFCB86C8AC6BA2AA3\
3 C6160072A
Hasher References
Quick Help
Below is the information located in Help -> Quick Help.
1 To use, select some files and/or folders and drag/drop them onto the main program wi\
2 ndow. Alternatively, use the File menu options to select files or a folder.
3
4 As files are hashed, you can sort, filter, search, etc. by interacting with the colu\
5 mn headers: Left click to sort and right click for a context menu with many more opt\
6 ions.
7
8 CTRL-C will copy the highlighted row to the clipboard. ALT-C will copy only the sele\
9 cted cell to the clipboard.
10
Hasher 193
11 You can export the search via the File menu once hashing is complete.
12
13 You can set various options via the Options menu.
Download Hasher
Hasher can be downloaded from https://ericzimmerman.github.io/#!index.md
JumpList Explorer
JumpList Explorer Introduction
JumpList Explorer is a tool created by Eric Zimmerman that can be used to visually parse JumpList
files. JumpList files are OLE containers¹⁵⁶ like many other filetypes within the Windows operating
system.
Below is a screenshot of JumpList Explorer without any artifacts loaded.
¹⁵⁶https://learn.microsoft.com/en-us/cpp/mfc/ole-background?view=msvc-170
JumpList Explorer 195
Below is a screenshot of JumpList Explorer with all JumpLists ingested from

.\DFIRArtifactMuseum\Windows\JumpLists\Win10\RathbunVM artifacts
JumpList Explorer Functionality
Exporting LNK Files

JumpList files are simply a collection of LNK files associated with a given application. JumpList
Explorer provides functionality for exporting out the LNK files associated with a given application
via File -> Export -> Lnk Files, as seen below.
Exploring Automatic Destinations

JumpList Explorer can parse AutomaticDestinations files, as seen below.
Exploring Custom Destinations

JumpList Explorer can parse CustomDestinations files, as seen below.
Search
The search bar can be enabled by clicking on the magnifying glass in the top right corner, as seen
below.
Once the magnifying glass is clicked on, the search bar will be visible, as seen below.
JumpList Explorer References

Please note, JumpList Explorer is not an open source tool.
Download JumpList Explorer

JumpList Explorer can be downloaded from https://ericzimmerman.github.io/#!index.md
JumpList Sample Data

Sample JumpList files can be found at the DFIRArtifactMuseum¹⁵⁷.
¹⁵⁷https://github.com/AndrewRathbun/DFIRArtifactMuseum/tree/main/Windows/JumpLists
MFT Explorer
MFT Explorer Introduction
MFT Explorer is a tool created by Eric Zimmerman that can be used by forensic examiners to ingest
$MFT files and visually explore the contents. Please note, this tool is not meant to ingest large $MFT
files and therefore should be used on smaller $MFTs and purely for educational purposes. Everyday
forensic examiners should use MFTECmd to parse $MFT files and export the output to CSV.
MFT Explorer with the tdungan $MFT ingested

MFT Explorer 203
MFT Explorer Features
Find Panel
Enabling the Find panel is done by simply right-clicking on a column header and clicking Show Find
Panel, as seen below.
Enabling the Find panel in MFT Explorer

MFT Explorer 204
Once enabled, the Find panel will be visible in the top right corner, as seen below.
Find panel enabled in MFT Explorer
MFT Explorer References
Download MFT Explorer

MFT Explorer can be downloaded from https://ericzimmerman.github.io/#!index.md
Registry Explorer
Revision history
2015-07-01 Rev. 1 – Initial release
2016-06-08 Rev. 2 – Updated for v0.8.1.0
2017-05-19 Rev. 3 – Updated for v0.9.0.0
2017-03-02 Rev. 4 – Updated for v1.0.0.0
2019-01-15 Rev. 5 – Updated for v1.2.0.0
2022-07-14 Rev. 6 - Leanpub release
Registry Explorer Introduction

Registry Explorer is a GUI based tool used to view the contents of offline Registry Hives. It can load
multiple hives at once, search across all loaded hives using strings or regular expressions, exporting
of data, and much more.
Why Another Registry Tool?

The need for Registry Explorer and RECmd came about out of writing a fully managed offline
Registry hive parser in C#. Existing parsers did not offer the features I was looking for and as such,
research and coding began. The Registry project serves as the basis for several programs including
ShellBags Explorer, AppCompatParser, etc. Once the back end was mature, I wanted an easy to use
and powerful way to expose the capabilities of the parser.
Registry Explorer 206
Registry Explorer fills the gaps in existing tools and expands the capabilities of Registry viewers in
many unique and powerful ways. It is GUI based and contains powerful searching, filtering, and
other visualization concepts that makes exploring Registry hives very easy while exposing all the
technical information contained in Registry hives.
RECmd was created in order to be able to script access to Registry hives, conduct new research, and
automate searching across multiple Registry hives at once from the command line.
Because both tools use the same back end, both have the same searching and viewing capabilities
including the full recovery of deleted keys and values. The parser also exposes value slack.
In summary, the capabilities of Registry Explorer and RECmd allows for quickly examining multiple
hives at once and they can be leveraged to find new places where currently understood data is located
in an easy to use and systematic way. It can be used in educational settings to not only understand
the Registry from a functional level, but also from a deeply technical perspective.
Getting Started
After starting Registry Explorer, the main interface is displayed.
Settings for various things like program options, window size, slider positions, window positions,
recent searches, etc. are all saved and reloaded between program executions. You can reset these
options by deleting the relevant files under the Settings directory in the main Registry Explorer
folder. The .layout files are for the trees and grids.
Tooltips are shown when hovering over different areas of the program. For example, hovering over
the Key section of the status bar shows the following:
Interface sections
There are five sections to the main interface.
Registry hives
On the left side of the window is the Registry hives tab. This tab displays the Registry hives that have
been loaded and the keys contained therein. Once at least one hive is loaded and a key is selected,
a context menu is available by right clicking on a key. The context menu options will be discussed
below in the Key context menu section.
Available bookmarks
Next to the Registry hives tab is the Available bookmarks tab. This tab will be discussed in detail
below.
Values
The Values grid shows all the values contained in the key that is selected in the Registry hives tab.
Once a value is selected, a context menu is available by right clicking on a value. The context menu
options will be discussed below.
Value details
The Value details area contains one or more tabs that dynamically adjust depending the type of
value selected. In every case, a type viewer will be displayed that shows the value of the selected
key. If a value has slack, a separate tab will be shown that allows you to view the slack space in a
hex viewer.
These concepts will be explained in more detail in the Using Registry Explorer section below.
Status bars
Across the bottom of the interface are several status bars as seen below.
Top status bar
The top status bar contains details about the path to the selected key and the selected value. On the
far left is a check box that toggles whether to show the root key name in the key path. By default,
the root key path is not shown. The screen shot below shows what this option does when turned on
and off.
By hiding the root key name, longer key paths will not be truncated as different keys are selected.
To the far right of the top status bar is a button that, when clicked, will collapse all loaded hives back
to their default state. This is a handy shortcut to clean up the Registry hives tree after interacting
with it and expanding many keys and subkeys.
Double clicking the key path will copy the key path to the clipboard. Holding Shift and double
clicking will copy only the key name to the clipboard.
Double clicking the value will copy the value’s name to the clipboard. Holding Shift and double
clicking will copy the value’s data to the clipboard.
Bottom status bar
The bottom status bar contains the last write timestamp, the status of filters for values, a section for
general status messages, an indicator of the total number of keys that are hidden from view, and the
total number of messages available on the Messages form.
Double clicking on the Total messages counter will show the Messages form. If there are any errors in
the Messages form, the background will be changed to yellow. If there are any errors, the background
will be changed to red. When the Messages tab is viewed, the background color will be changed back
to its default.
Double clicking the last write timestamp will copy it to the clipboard.
Main menu
The main menu contains options that allows for loading hives, searching hives, opening bookmarks,
and so on. In many cases, the menu items will have shortcut keys associated with them. Pressing
the keys shown by a menu item on the keyboard will activate that menu item.
The various sections below will explain these submenus. Where things are obvious (like File | Exit),
no additional information will be provided.
File
The File menu contains options for loading hives (you can also simply drag and drop one or more
hives onto the main interface to load them) and exporting.
• Load offline hive: Allows for loading one or more hives. To select more than one file, select a
file, then hold Shift and select the last file to load. You can also hold Ctrl and click files to select
them individually.
• Unload all hives: Unloads all hives at once vs. removing one at a time
• Project: Allows for loading/saving of projects. Projects will be discussed below.
• Export ‘Registry hives’: Exports what is shown in the Registry hives tab to a variety of formats.
As an example, if the Registry hives tree looked like this:
Exporting to PDF would generate a PDF file that contains the following:
This is useful for generating reports or other documentation that is easier to manipulate than simply
taking a screen shot.
Tools
The Tools menu contains a single item, Find.
Using this option will be explained in full detail below in the Using Registry Explorer section
Options
This menu contains several options that control such things as recovering deleted records, viewing
hidden keys, etc.
• Recover deleted keys/values: When enabled (the selector is to the right), Registry Explorer will
recover any deleted records available during hive loading
• Show associated deleted records: When enabled, all associated deleted records will be shown in
a special group under the main Registry hive data. Any recovered keys that could be associated
with an active (that is, not deleted) key will also be shown in relation to the active key. This
will be explained more in a subsequent section.
• Show unassociated deleted records: Like the previous option, but this group contains all of the
keys that could not be associated with an active key.
• Show parent keys when filtering: This option changes the way the Registry hives tree works
when using the column filters. When this option is enabled, any keys that match a filter will
be displayed, along with the parent keys that the matching key belongs to as seen in the screen
shot below.
The keys highlighted in yellow are parent keys that may not contain the text entered in the filter
column.
If we turn off this option, we get a much different result as seen below.
Notice in this screen shot only the keys that match the filter criteria are shown. This can greatly
reduce noise in the results in addition to lessening the need to scroll to the keys that match the filter
criteria.
The other aspect this option controls is whether to show subkeys of keys that match a given filter.
With the option on, any subkeys of keys that match the filter will continue to be shown. With the
option off, subkeys of keys matching the filter are hidden.
• Show hidden keys: When enabled, any keys that have been hidden will be shown in the Registry
hives tree. In the screen shot below, several keys are shown.
While we haven’t discussed how to hide keys yet (it has its own section below), if we right click on
a key, an option to hide the selected key (based on the key path, not just the key name) is shown.
For example, if we hide the MuiCache key, it will disappear, as seen below.
Notice the MuiCache key is no longer visible (assuming the Show hidden key option is off). If we
enable this option, the MuiCache key will be shown in its original place, but the icon is different to
show that it is in fact a hidden key.
When a key is hidden, the lower right corner will have a red dash to indicate this.
• Manage hidden keys: Brings up an interface to remove keys from the auto hide list. There
are two options available when hiding keys: hide for session and hide and add to auto hide.
The Manage hidden keys interface only displays key paths that have previously been added to
the auto hide list. Any key paths removed from the auto hide list will be unhidden when the
Manage hidden keys interface is closed. Additional ways to unhide keys will also be discussed
in a subsequent section.
• Skins: Allows for selecting a skin or theme that Registry Explorer will use.
• Preferences: Program options such as timestamp format, binary data as base64, etc.
The Preferences dialog allows you to change the default timestamp format and other parameters as
seen below.
Bookmarks
The Bookmarks menu contains both common (included with Registry Explorer) and user created
bookmarks to “of interest” Registry keys. Bookmarks can be created for any Registry key (we will
see how to create our own bookmarks soon). Bookmarks that are included with Registry Explorer
will show up under the ‘Common’ menu and any user created bookmarks will appear under the
‘User created’ menu.
Bookmarks live in a subdirectory of the main Registry Explorer program directory in a directory
named Bookmarks. The Bookmarks directory contains two subdirectories, Common and User. To
move a user created bookmark from the User created to Common submenu, simply move the
bookmark file from the User directory to the Common directory.
The Manage bookmarks interface can be used to edit or delete bookmarks. Additionally, simply
deleting the bookmark file from the Common or User directory will also remove the bookmark.
Bookmarks are simple json files and can also be edited with any text editor. Since they are simple
json files, exchanging a good set of bookmarks with other users is as easy as sending someone else
the bookmark files from the User directory. There is a project on GitHub, found here¹⁵⁸, that you
can push your Bookmarks to.
¹⁵⁸https://github.com/EricZimmerman/RegistryExplorerBookmarks
The main Bookmarks menu contains two numbers at the end. The first number is the total number
of Common bookmarks that exist in the selected hive and the last number is the number of User
bookmarks that exist in the selected hive. Clicking on any of the bookmarks will cause Registry
Explorer to jump to the bookmarked key.
Bookmarks are tied to a Registry hive type and a key path within that hive type. When we discuss
creating bookmarks below this will become clearer, but for now remember that each bookmark is
associated with a certain flavor of Registry hive (NTUSER, UsrClass, SYSTEM, etc.).
The Bookmarks menus dynamically adjust as hives are loaded and selected. For example, suppose
you have the following bookmarks by hive type:
• NTUSER.DAT: 40 bookmarks
• USRCLASS.DAT: 8 bookmarks
You then load an NTUSER and USRCLASS hive. The NTUSER hive contains 25 out of the 40 key
paths as defined in the NTUSER.DAT related bookmarks (25 from Common). The USRCLASS hive
contains two out of the eight bookmarks (one from common and one from user created). If you
click on anything in the NTUSER.DAT hive, the Bookmarks menu will change to show you only the
bookmarks that actually exist in the NTUSER hive, like this:
If you then click on the USRCLASS hive, the Bookmarks menu will again dynamically adjust to
show what is available in the USRCLASS hive.
Again, clicking a bookmark will jump to the key as defined in the bookmark. For example, clicking
on the BagMRU bookmark results in the following key being selected (and of course all parent keys
will be expanded so the bookmarked key is visible).
Because the Bookmarks menu dynamically adjusts itself based solely on what exists in the active
hive, you do not have to click on bookmarks before you know whether they exist. This is a huge
time saver and makes drilling down into hives much easier.
As you interact with loaded hives, the Bookmarks menu will show you at a glance how many
bookmarks are available, but as we will soon see, Registry Explorer has an even easier way to interact
with bookmarks (the Available bookmarks tab).
The bookmark names are sorted alphabetically as well so it’s easy to find the bookmark you are
interested in.
View
The View menu contains two options: Messages and Plugins.

Messages toggles visibility of the Messages window. The Messages window displays status messages
and other feedback as hives are loaded and so on.
Hives tend to process and load faster when the Messages window is hidden, so keep that in mind
when loading many hives at once or when processing large hives.
The total number of messages is also shown on the main window’s bottom status bar to the far right.
Double clicking the message count will show the Messages form.
As mentioned above, the background of the messages count will be yellow if and warning message
exists and red if an error message exists. The background color will return to default when the
Messages window is shown.
The Plugins option displays a list of available plugins and includes such details as the author, key
paths, and descriptions of what the plugin does.
Plugins will be discussed in more detail in a dedicated section of this manual.
Help
The Help menu contains three options: Quick help, Legend, and About. The Legend shows the
various icons seen in the Registry hives tree and a description about them.
The legend contains descriptions for the different icons used for various Registry objects such as
hives, keys, and existing key placeholders. The legend can be seen below.
Using Registry Explorer
General concepts
Once hives are loaded into Registry Explorer, Registry Explorer allows you to sort, filter, etc. on both
the tree on the left as well as any grids on the right.
Sorting
Sorting works like most every other program in that you can click on a column header to sort that
column. Here the Value Name column has been sorted.
Notice the small arrow indicating the sort order.
Other options
Right clicking on a column header will bring up a context menu that allows for sorting (as well
as removing any existing sorting), grouping, and customization of columns including hiding or
showing any columns.
page 21 of 86 done
Filtering
A column can be filtered by clicking in the blank space below the column header and entering
something to filter by. The data will be filtered in real time and the bottom status bar will indicate
how many things have been filtered out.
When filters are in place (by entering text in the areas below the column name), information about
the active filter will be shown at the bottom of the tree or grid as shown below.
The leftmost X can be used to clear the active filter, the checkbox can be used to disable the filter
without clearing it, and the down arrow on the right side contains a history of the different filters
that have been recently used.
The ‘Edit filter’ button on the far right allows you to edit the current filter as needed. This is the
same option that is available in the context menu from above.
Using these options, very detailed filters can be created.

Clicking the icon in the left side of the filter area allows for changing the filter criteria as well. The
default is ‘Contains’
Conditional formatting
The Registry hives tree, Available bookmarks tree, values grid, and Find results grid all support
creating rules to format any column contained therein.
For example, by right clicking on the Key name column in the Registry hives tree, the following
menu is shown.
There are options to format things on a variety of conditions, as seen below.
If we select the ‘Text that contains…’ option and enter ‘Bags’ along with how we want any matching
rows to be formatted, the tree will reflect these changes. For example, if we entered the following
conditions:
The Registry hives tree would then look like the screen shot below. The instances of ‘Bags’ in the
highlighted rows have been circled for emphasis.
These formatting options allow you to create powerful visual indicators when data that is relevant
to you is present in the hives you are looking at. Of course, all formatting options are remembered.
Use the same conditional formatting menu to edit rules.
Loading hives
To load hives into Registry Explorer, either select one or more hives and drag/drop them onto the
main interface. You can also use File | Load offline hive or press Alt+1 to select hives.
Registry Explorer will load the hives in parallel and as such, smaller hives will show up in the
interface before larger ones. When loading more than one hive at a time, check the status bar at the
bottom of the main window to see how many more hives are being processed.
After selecting a hive, Registry Explorer will fully process the hive. Once that is done, the hive will
be displayed on the main interface. The top-level node for a hive is the full file path to the hive as
seen below. The hive node has a green icon and is also in bold to differentiate it from keys.
The last write timestamp for the hive is the timestamp value from the header of the hive.
Below the hive name is the root key for the hive. The root key name can vary for every hive that
is loaded. All other keys in the active (that is, not deleted) portion of the Registry will be displayed
under the root key.
If the option to recover deleted records is enabled, up to two different virtual keys may be created:
one for Associated deleted records and one for unassociated deleted records. These virtual keys will
not be shown if there aren’t any deleted records of that type available. As discussed above, these
keys can also be hidden using the relevant option under the Options menu.
The number after Registry hives in parenthesis is the total number of hives loaded. In the example
below, there are 18 hives loaded.
Dirty hives
In some cases, Registry Explorer will inform you that a hive is dirty when it is loaded. This means
the hive’s header primary and secondary sequence numbers do not match. More importantly, there
is uncommitted data in one or more transaction logs that need to be applied to the original hive to
ensure the most recent data is presented.
The transaction logs are found in the same directory as the hive itself and end with .LOG1 and
.LOG2. Both are needed to accurately replay the transactions contained therein. Registry Explorer
will determine which logs to apply and the order to apply them.
Once the logs have been replayed, Registry Explorer will offer to save out the updated hive to a new
location. The new hive’s header sequence numbers will also be updated to match. This hive (along
with the dirty hive, optionally) can then be loaded into Registry Explorer for review.
Projects
Projects allow you to load one or more hives into Registry Explorer and save the currently loaded
hives into a project file. This allows you quickly load the same hives for a particular case quickly vs
having to load a bunch of hives individually. You can also drag and drop Registry Explorer project
files (.re_proj) just like you would a registry hive.
Selecting keys
Selecting keys in Registry Explorer works much the same as it does in regedit or selecting directories
in Windows Explorer. Clicking the small arrow to the left of the key name or double clicking a key
will expand that key, displaying any subkeys that are present. If the arrow is not visible, the key does
not have any subkeys.
Keys can be double clicked and expanded, drilling down into the key hierarchy, until the key you
are interested in is located. Alternatively, you can simply start typing a key’s name and the keys will
be dynamically expanded as matching keys are found in the tree.
For example, assume Registry Explorer looks like this:
If you want to look at the contents of the BagMRU key, click on either the hive path or the root key,
then start typing BagMRU. As each letter is typed, Registry Explorer will search for matching keys
and select them. After a few keystrokes, the following key is selected.
Notice also the part of the key that matched what was typed is highlighted. While a bookmark can
be used to quickly jump to a particular key, using this technique can save a lot of time when you
know the name of the key you are interested in.
Filtering keys
The top of the Registry hives tree contains areas to enter text to filter that column. One thing to
note is that only expanded keys are included in the filter results. To filter against all keys in a hive,
use the context menu option to expand all subkeys (or press Alt+Down) before filtering. The next
section will cover the context menu in detail.
The Options | Show parent keys when filtering option affects what is shown when filtering keys. See
the Options section for a full discussion on how this option works.
While it may seem that filtering is the quickest way to find a certain key, it is quite often faster to
type the name of a key you are interested in (or better yet, using Tools | Find if it exists in more than
one place).
Key context menu
As in other places, the context menu changes dynamically depending on what you right click on.
For example, if you right click on a hive’s full path, you will see the option to remove the hive from
Registry Explorer. Right clicking anywhere else but the hive’s path will hide this option from view.
Similarly, if a key is hidden, an option to unhide the key will be shown, else it will be hidden, and
so on.
The key context menu looks like this:
The name of the currently selected key is shown at the top. Most options also have shortcuts which
can be used in lieu of using the mouse.
• Remove hive: Removes the loaded hive from Registry Explorer. This option is only shown when
a hive is selected (denoted by the full path to the hive name, shown in bold, and with a different
icon).
• Add bookmark: Creates a new user bookmark. Full details will be discussed below.
• Hide key
– For this session only: Hides keys matching the selected key’s path from all loaded hives
until Registry Explorer is restarted
– Hide and add to auto hide: Same as the above option, except the key’s path is remembered
between restarts of Registry Explorer. This option is useful to hide non-useful keys in the
Registry that get in your way.
• Unhide key: Unhide previously hidden keys with the same path as the selected key. If a key has
been auto hidden, this option will remove it from the auto hide list.
• Export
– To .reg format: Exports the selected key and its values to plaintext format. This file can
then be imported into the active Registry by double clicking on the generated file.
– To .reg format recursively: The same as above, except all keys and values for the selected
key and all subkeys are exported.
• Copy
oKey name: Copies the selected key’s key name to the clipboard. Double clicking the key path in the
status bar while holding Shift also copies the key name to the clipboard.
* Key path: Copies the selected key’s key path to the clipboard. Double clicking the key path in the
status bar also copies the key path to the clipboard.
* Last write time: Copies the selected key’s last write timestamp to the clipboard. Double clicking the
last write timestamp in the status bar also copies the last write timestamp to the clipboard. Double
clicking the status bar while holding Shift will copy the key name and last write timestamp to the
clipboard.
• Expand subkeys: Recursively expands the selected key and all subkeys. You can also hold the
CTRL key while right clicking a node to expand each key.
• Collapse subkeys: Collapse all subkeys below the selected key
• Technical details: Displays full technical details about the selected key, its subkeys, values,
security records, and hive header. This option will be fully explored below.
Value context menu
A typical value context menu may look like this:

The name of the currently selected value is shown at the top.
• Export
– Value data: Exports selected value’s data in binary form to a file
– Value slack: Exports selected value’s slack data in binary form to a file. If a value has no
slack, this option is disabled
• Copy
– Value summary: Copies a summary of the selected value to the clipboard. An example is
shown below.
* Value name: Copies the selected value’s name to the clipboard

* Value type: Copies the selected value’s type to the clipboard (RegBinary or RegSz for example)
* Value data: Copies the selected value’s value data to the clipboard. For RegBinary values, the hex
values, separated by a hyphen, are copied to the clipboard as a string
* Value slack: Copies the selected value’s value slack to the clipboard. This option formats the data
the same as the Value data option. If a value has no slack, this option is disabled.
• Data interpreter: Brings up the Data interpreter window for the currently selected value and
converts the value’s raw data to a variety of formats. The image below is shows how binary
data for a 128-bit timestamp gets converted to different formats.
Value details
The Value details area will change depending on the type of value selected.
Type viewer
For all values except RegBinary values, a simple string representation of the value is shown as seen
below.
The other thing to notice here is the raw value is also shown (highlighted in yellow above). This
allows you to export out raw data into other tools, etc.
For RegBinary keys, a hex viewer will be shown to display the value’s binary data.
Selecting a byte or a range of bytes will update the Current offset and Bytes selected values at the
bottom of the hex viewer.
Slack viewer
For values that have value slack, a Slack viewer tab will be added. This viewer works the same as
the Type viewer for RegBinary values.
Double clicking on the offset allows for entering an offset to jump to in the hex display.
When viewing binary data, you can copy the selected bytes to the clipboard as either hex, ASCII, or
Unicode via the context menu:
Data interpreter
In the lower right corner of the hex viewer is a Data interpreter button. Clicking this button will bring
up the Data interpreter that converts the raw hexadecimal data into a variety of formats including
dates and times, GUIDs, IP addresses, and more. The Data interpreter window is shown below.
In the example above, a RegBinary value is selected and the 14th byte has been selected (click on a
byte to select it). To the right of the hex display is an ASCII interpretation of the binary data. In this
case, 70 corresponds to the ‘p’ character.
The Data interpreter also shows the same offset, 14, but it goes a step further and decodes the ASCII
string ‘please’ from bytes 70 6C 65 61 73 65. Registry Explorer will look for a single Null terminator
for ASCII strings (00) and double Null terminators (00 00) for Unicode strings. If no Null terminators
are found, the bytes will be interpreted from the current offset to the end of the data.
The Data interpreter can also convert GUIDs to known folder/location names as seen below.
In this case, a GUID was found at offset 0x04, 26ee0668-a00a-44d7-9371-beb064c98683, that maps to
‘Control panel.’
To copy values from the Data interpreter to the clipboard, press Ctrl+C.
Interacting with deleted keys
Registry Explorer can recover both deleted Registry keys and values. It also reassociates deleted
values with their parent keys and subkeys to their parent keys.
In some cases, it is not possible to reassociate recovered keys to an active Registry key because the
deleted key’s parent cell index does not correspond to a key’s offset in the active Registry.
Registry Explorer shows recovered deleted keys in up to three ways: “Inlined’ with existing keys
(that is, deleted keys are shown where they used to exist), Associated deleted records (the same info
as inlined keys, but the parent keys are placeholders), and Unassociated deleted records (no parent
key could be found in the active Registry).
Inlined with existing keys
When Registry Explorer can reassociate a key with an active parent key, it is shown under the root
key under its parent key. The icon for the deleted key (and all its subkeys) is the same as an active
key, but a red X is shown in the lower right corner to denote it is a deleted key. The font for deleted
keys is red.
Associated deleted records
All associated deleted records are also shown under a virtual key called ‘Associated deleted’ records.
Under this key, placeholder keys (keys with a link icon in the lower right) are created that denote
active keys, down to the point where the deleted key can be found. In the example below, the same
path as seen above is reflected down to the ‘BagMRU’ key. At this point, the icon and font color
changes to indicate the key is in fact deleted and has been reassociated.
Unassociated deleted records
In the cases where an active parent key could not be found, the recovered deleted key will be placed
under another virtual key called ‘Unassociated deleted records’ that functions in a similar way to
the Associated deleted records. The primary difference between the two is that there will not be any
active parent keys shown for unassociated records. Unassociated records can be explored like any
other records (looking at values, viewing Technical details, etc.).
Creating bookmarks
To create a bookmark, right click on a key and select Add bookmark.
Since Registry Explorer knows the hive type and key path already, these values will be prepopulated.
In the example below, a UsrClass hive is active and the VirtualStore key is selected.
The Category field allows you to place this particular Registry key into a high-level group. This
will eventually be used for reporting. Several preexisting categories are included but typing a new
Category will add it to the list.
The Short description serves as a summary for what the key means or why it is relevant. The value
entered for Short description will show up after the name of the bookmark in the bookmarks menu.
The Long description should contain technical information, links to web pages with more informa-
tion, or any other information you want to convey.
Recall the bookmarks menu is dynamic and will update according to the keys that are available for
the selected hive. If, before adding the bookmark, the Bookmarks menu looked like this:
And our new bookmark looks like this:
The Bookmarks menu will look like this once the Save button is clicked:
A ‘User created’ menu is now visible as is our VirtualStore bookmark (with the short description
shown in parenthesis after the key name).
Selecting the ‘VirtualStore’ bookmark expands all child keys to the bookmarked key in the selected
Registry hive.
Managing bookmarks
Recall bookmarks are kept in two folders, one for included bookmarks and one for user created
bookmarks. Registry Explorer contains a Bookmark manager that is available under the Bookmarks
menu.
The column headers in bold (Type, Hive Type and Key Path) are read only. To edit any of the other
columns, click on that column’s value and adjust. The bookmark is saved automatically, and the
Bookmarks menu will be updated accordingly.
Available bookmarks
The Available bookmarks tab is an optimized way to view all available bookmarks across all loaded
hives. Using the Available bookmarks tab allows you to see all bookmarks that exist without the
distraction of parent keys or having to drill down into different hives to review things.
After loading one or more hives, click on the Available bookmarks tab. An example of this is shown
below.
When the root folder for a bookmark is selected (BagMRU in the example above), information about
the bookmark is shown at the bottom of the window in the Bookmark information section.
The numbers at the end of the Available bookmarks tab indicate the total number of common
bookmarks (20 in this case) and the total number of user created bookmarks (5 in this case). Available
bookmarks dynamically updates as hives are loaded/unloaded, bookmarks are created/removed, etc.
Right clicking on a key brings up a context menu. The options work the same way as on the Registry
hives tab. The ‘Jump to key’ option will change the active tab to the ‘Registry hives’ tab and select
the bookmarked key. This is useful to see the bookmarked key in context with other keys.
Finally, common bookmarks are differentiated from user created bookmarks by showing user created
bookmarks in blue, as shown below:
This makes it easy to spot bookmarks you have added vs ones that were included with Registry
Explorer.
Searching
Registry Explorer contains powerful searching capabilities including standard string searches and
regular expression-based searches. It can also search for keys where the last write timestamp is
before, between or after a given timestamp or pair of timestamps, or for values that have a data size
greater than a certain number of bytes.
Registry Explorer allows you to search all hives at once across key names, value names, value data
and/or value slack. Searching is done against each hive asynchronously and results will appear as
they are available.
Options menu
Clear recent
When conducting a standard search, search terms in the ‘Search for’ box are remembered between
program executions. Use this option to clear these recent searches.
Convert
The convert menu contains options to convert the selected search string in the ‘Search for’ box to
its ASCII or Unicode hexadecimal value. This is useful when searching for patterns in Value data.
For example, selecting ‘Eric’ (without the quotes) and using the conversion options results in the
following being shown in the ‘Search for’ box:
• ASCII: 45-72-69-63
• Unicode: 45-00-72-00-69-00-63-00
The converted value can now be used to search for the initial string in its encoded form. You can
also convert terms to ROT-13 and search for encoded strings as well.
Help menu
Search tips
Shows several tips for different kinds of searches
Regular expressions
Launches a web page with information about creating .net regular expressions
Standard search
To conduct a standard search, simply enter one or more values in the ‘Search for’ box and click
‘Search.’ You can also press the Enter key twice on an empty line after entering a search term to
perform the search.
The Literal checkbox controls whether the term searched for is looked for in binary data when
searching in value data and/or slack. This is explained in more detail below.
If you entered a regular expression, change the radio button to ‘Regular expression’ so Registry
Explorer knows to use RegEx when searching. The Help menu can be used to get additional help on
building .net regular expressions. For additional resources on regular expressions, click here to view
the regular expression searching section for RECmd.
The History drop down will contain a list of your recent searches
Last write timestamp search
To conduct a last write timestamp search, choose the date range to search for via the radio buttons
and enter the required time stamp values, and then click Search (or press Enter).
Note: Depending on the Date/Time format under Preferences you may see extra characters in the
earliest and latest time stamp fields. These can be ignored.
Minimum value size search
When searching for values above a minimum size, the size of the value data’s length is shown in the
Value Data column as seen below.
Base64 in values search
This works the same as a minimum value size but validates the value’s data contains a valid base64
encoded string.
Interacting with search results
Once a search is underway, results will show up in the Results grid at the bottom of the Find window.
In the above example, a simple search was done for the string ‘mui’ and ‘cache’ which resulted in
334 hits. The search results contains the hive the hit was found in, what type of hit it was (key name,
value name, etc.), the hit text, and other relevant information.
The columns shown in the Results grid will change depending on what kind of search was done.
When searching in value name and/or value data, two additional columns will be shown as seen
below.
When searching in value data and/or value slack, the Search for term will be found regardless of
case or encoding (Western 1252 and/or Unicode to be exact). This makes it easy to find strings that
have been encoded in binary data.
The way this works is to take the raw bytes that make up the value data and/or value slack and
convert it to a string (again, in Western 1252 and Unicode), which is then searched using a regular
expression. The regex will find the hit with exact capitalization, and the exact hit is then converted
back to a byte string. This hit can then be reported back to the application and the data highlighted
in context with the rest of the data, regardless of encoding or capitalization.
Here is an example of some search hits for ‘cache’ that were found in binary data:
If the Literal checkbox is checked, the additional search against the converted data is not done behind
the scenes. This allows you to look for specific byte patterns without Registry Explorer converting
binary data to strings.
Here is an example where the string ‘las’ was found in value slack:
In the screen shot above, notice the hit in value slack was found in two different encodings.
Viewing search results
To view the search hit in the main Registry Explorer window, simply double click on the result you
wish to view. The Registry hive containing the hit will be selected along with the key where the hit
was found. If the Hit location is in a value name or in value data, the corresponding value will be
selected under the key.
For all simple searches, the search hit will be highlighted (or, in the case of a RegBinary hit, the bytes
that make up the hit will be selected). A few more examples of this are shown below.
For key name hits, the matching part of the key name is highlighted.
For value data (when the value type is RegBinary) and value slack, the bytes that make up the search
hit are selected in the hex viewer.
For value name and non-RegBinary value data hits, all instances of the search term are highlighted.
Search tips
The fastest searches are against key names. Searching against value names will be slower than key
names only. Searching value data/value slack is slower still. This is because every value of every key
must be looked at in order to search for value names or value data/slack across all loaded hives.
Do not let this stop you from searching against value names and data however. Even with these
options selected, Registry Explorer can still search multiple hives very quickly (often under a second),
but this depends on the number of keys and values in the loaded hives.
You can export the search results to Excel via the button in the lower right.
Technical details in depth
One unique feature of Registry Explorer is the ability to view the technical details of any key, its
values, security information, etc. This feature bridges the gap between a hex editor and other viewers
in that Registry Explorer can be used to validate itself as to its interpretation of Registry data.
To view the technical details of a key, select the key you are interested in, then right click and select
‘Technical details’ from the context menu. F5 can also be used as a shortcut.
In the example above, the Technical details for the ‘Local SettingsSoftwareMicrosoftWindowsShell-
BagMRU’ key are shown. The bytes at the bottom of the details form are the bytes for the NK record
as they are found in the Registry hive as viewed in a hex editor.
As different properties are selected, the highlighted bytes change to reflect the location in the raw
data where that property lives. The Last write timestamp property is selected, as are the bytes that
this property is derived from.
The selected bytes can be copied via Ctrl+C. Hold Ctrl+Alt+C to copy both the property name and
the value to the clipboard.
If a key contains one or more values, the Values tab is visible and contains a list of all the key’s
values. Selecting a value will display the VK record’s properties and raw data as we saw with the
NK record above.
At the bottom of the Values tab, the raw VK record is shown. A hex viewer for the value data and
value slack (if the value has slack) is also shown. This allows you to see both the VK records and the
data in one place. The value data/slack is the data that is available at the Data offset.
If a key contains subkeys, the Subkeys tab is visible and contains a list of the current key’s subkeys.
Double clicking on a subkey will open the Technical details report for that key in its own window.
Keys found in the active Registry (in other words, not deleted) will have an SK record tab that
contains the security key information for the NK record. The SK record tab works the same as the
NK and VK tab in that the hex editor updates when properties are selected, etc.
The ‘Full details as text’ tab contains a textual representation of the selected key including the NK
record, all VK records, and the SK record. This can be copied and pasted into reports as needed.
Finally, the Hive details tab contains information about the hive where the key was found. This
includes the sequence numbers, timestamp, length, root key name, checksum, and so on.
Plugins
Plugins provide a means to process a key and/or value in the Registry. They are primarily intended
for binary or otherwise obfuscated keys and values to be decoded to a more user-friendly manner.
The plugin architecture is open source and easy to implement.
Each release of Registry Explorer will contain all available plugins, but the hope
is that others will also contribute to the Registry Explorer project, located at
https://github.com/EricZimmerman/RegistryPlugins.
Plugins live under the main Registry Explorer directory in a subdirectory called ‘Plugins’ which can
also contain other directories as needed. Plugins are named according to the format:
RegistryPlugin.*.dll
Where the * is a description of what the plugin is for. Any subdirectories under the Plugins directory
are also checked for files matching the above specification.
When Registry Explorer is started, it looks for all files matching that pattern. It then verifies that
each file found is indeed a plugin. If it is, the plugin is made available to Registry Explorer.
To view all available plugins, use the View | Plugins menu option. When this is selected, the following
dialog is displayed:
As different plugins are selected, the properties for the plugin are updated. In the above example we
can see the name of the plugin and the exact key path (or paths) a plugin will handle.
Plugins can be tied to a key name or a key name and a value name. When a plugin processes particular
value, that value name will be shown in the appropriate field.
The Internal GUID is an identifier Registry Explorer uses to make sure each plugin is unique. In this
way you can have multiple plugins for a given key and things would still work properly (vs. basing
uniqueness off of a name or similar).
The short and long descriptions are used to explain in more detail what a plugin is doing, why it is
relevant, etc. The long description can also include even more details including links to blogs, etc.
Using plugins
There is no requirement on a user’s part other than clicking on a given key and/or value. As Registry
Explorer is used to navigate around a hive, Registry Explorer checks if any plugins have registered
an interest in the selected key/value. If any plugins are found, the key is passed to the plugin for
processing and the plugin then returns results to Registry Explorer which it then displays.
For example, say a user clicks on the SOFTWAREMicrosoftWindowsCurrentVersionExplor-
erComDlg32CIDSizeMRU key. This key’s values look like this:
There are many RegBinary values and an MRUListEx value that tracks the order each of the values.
Clicking on a value would display all the binary data in the hex viewer, like this:
A Unicode string can be seen in the data, but it is difficult to see all the data at once. This is where
the plugin steps in and presents a much easier to use presentation of the values under this key. After
a plugin processes a key, a new tab is displayed next to the Values tab at the top of the right side of
Registry Explorer:
Each value is processed, and the results are displayed in a grid which can then be sorted on, filtered,
or exported as needed
For plugins that handle a key and a value, like the AppCompatCache plugin, the results of the plugin
are displayed on a tab next to the Type viewer at the bottom part of the interface (below the values
tab).
As an example, the 7-Zip archive history value is a NULL terminated list of archives opened in 7-Zip.
When this value is selected, the 7-Zip plugin processes the value and returns a much nicer list, like
this:
The data returned can now be filtered, sorted, and exported as we saw earlier.
Some plugins can return a vast amount of information which can make displaying it all in a
grid overwhelming. In these cases, Registry Explorer will, by default, hide the details from the
plugin view (but this column can easily be unhidden if you like). As an example, let’s look at the
LastVisitedPidlMRULegacy plugin. When this key is selected, all values are processed, and the results
are displayed as we saw before. This plugin has a property named ‘Details’ which contains just that,
a very detailed listing of information extracted from a value. When a value is selected a new tab is
shown next to the Type viewer tab that contains the details of the selected value, like this:
This particular plugin decodes all of the shell items found in the binary data and places this decoded
data into the Details property. This is what is displayed when a value is selected.
When exporting plugin results for plugins that have a Details property, this column will be exported
as well, like this:
The Details column seen in the Excel sheet above is the same that is available after unhiding the
details column in Registry Explorer.
Creating plugins
NOTE: THIS MAY NOT BE 100% CURRENT AS YOU ARE READING THIS! USE THE EXAMPLES
IN THE GITHUB REPOSITORY FOR WORKING SAMPLES!!
To create a new plugin, download the RegistryPlugins project from Github, open the project in
Visual Studio, and create a new project that follows the correct naming convention similar to what
we saw earlier, RegistryPlugin.<something>. Once the project is created, add a reference to the
RegistryPluginBase project as this project will contain the base types and classes needed for a plugin.
Once this is done, the actual coding can begin. By default, a generic class is created in the new project.
Rename this to something more meaningful. This main class will contain the “brains” of the plugin.
Next, add a new class to the project and call it ValuesOut. While you can name this class anything,
most other plugins use this same convention.
The ValuesOut class defines the objects the plugin will return for display in Registry Explorer. For
example, the 7-Zip plugins ValuesOut class looks like this:
The important things to remember is to add read only properties and define a constructor that allows
for setting up the object. By doing this way we ensure our objects are immutable.
With the ValuesOut class done, we can code the primary class. Using the 7-Zip project as a reference
again, let’s take a look at the top section of the class:
After the class name we can see a reference to an Interface, IRegistryPluginGrid. This interface
contains the ‘rules’ the class must follow as it relates to properties. The interface definition looks
like this:
Which in turn references another interface, IRegistryPluginBase, that looks like this:
These interfaces define what properties must exist in a class that implements a given interface.
Looking back at our SevenZip class, we can see several of the properties from the interface definitions
along with a few other fields and variables. First, we see a read-only collection named _values which
will hold each of our ValueOut objects we create. Next is the constructor which initializes the class.
The internal GUID is nothing more than a unique GUID that can be generated via the C# Interactive
window (or any other means using Guid.NewGuid.ToString() method).
The next two properties define the key that this plugin is interested in and optionally, a value. This
particular plugin does contain a value name and as such, a combination of the key name and value
name is used.
The PluginType defines the how the resulting data from the plugin will be displayed. As of 0.8.0.0,
Grid is the only valid option.
The Author, Email, and Phone properties contain information about who made the plugin and how
to get a hold of them.
The PluginName, descriptions, and Version properties are next and are self-explanatory.
The Errors collection will contain a list of any errors encountered by the plugin as it processes a key
and/or value.
The remaining part of the class looks like this:
The ProcessValues function is called by Registry Explorer when it is determined a given key should
be processed by a plugin. This is where a key should be looked at and processed into ValuesOut
objects. It is very important to properly handle any possible errors by use or Try/Catch blocks. This
keeps the plugin from crashing and allows for reporting errors to a user in a consistent manner.
The AlertMessage can be anything a plugin author wishes and will be displayed in Registry Explorer
below the grid containing plugin results.
The Values property at the bottom is the property Registry Explorer will use to display the data
returned by the plugin.
Creating plugins is very simple in that it is some basic plumbing code (name, email, key path, etc.)
and a single function to process things. While this example showed a simple plugin, there are other,
more complicated examples in the Github project you can use as templates for new plugins.
RECmd
RECmd is a command line tool used to access offline Registry hives. It includes many of the same
features as Registry Explorer including searching, looking at keys and values, and exporting data.
Version 1.2 added batch mode and plugin support for automated searching and extracting of data to
CSV.
RECmd uses the same back end as Registry Explorer to process Registry hives. RECmd is open source
and the source code is available here.
Getting started
Running RECmd.exe without any arguments displays a list of command line options as shown below.
There are several groups of command line options for RECmd. They are not case sensitive.
Source
• f: The full path to the hive to process. If the path contains spaces, include them in double quotes.
• d: The full path to a directory to recursively search for hives to process. If the path contains
spaces, include them in double quotes.
Batch
• bn: Path to batch configuration file (see section below for details).
• csv: The directory to save batch results to
• csvf: File name to save CSV formatted results to. When present, overrides default name
Query
If either the key or value has spaces in them, be sure to enclose them in quotes.
When passing in key names, the root key name is optional. This is because most of the time you will
not even know the root key name in order to be able to include it.
To get default values, use a value name of “(default)”.
• kn: The key name to look for. If used without –vn, displays all subkeys and values.
• vn: Display only the value specified
• SaveTo: Saves –vn value data in binary form to a file
• json: Export –kn to directory specified by –json. Ignored when –vn is present
• details: Show more details when displaying results. Default is FALSE
Search
This is a particularly useful feature to locate data across hives in key names, value names, and
perhaps most importantly, in value data.
Searching is broken down into four types, by last write timestamp, value data minimum size, simple
string searches (and regular expression (RegEx) based searches when –RegEx is present).
• MinSize: Find values with value data size greater than or equal to the specified size (in bytes).
• Base64: Find Base64 encoded values greater than or equal to the specified size (in bytes).
• sk: Search for <string> in key names
• sv: Search for <string> in value names
• sd: Search for <string> in value record’s value data. The value data will be converted to its
equivalent in ASCII and Unicode and searched/compared to <string> unless the –Literal switch
is used
• ss: Search for <string> in value record’s value slack. The value slack will be converted to its
equivalent in ASCII and Unicode and searched/compared to <string> unless the –Literal switch
is used
• RegEx: If present, treat <string> in –sk, –sv, –sd, and –ss as a regular expression
• literal: If present, the –sd and –ss search value is not interpreted as ASCII and Unicode strings
• nd: When true, suppress showing data when –sd or –ss is used. Default is FALSE.
Other
• recover: If true, recover deleted keys and values. Default is TRUE

• nl: When true, ignore any transaction logs for dirty hives. Default is FALSE
• dt: Custom date/time format for displaying timestamps
• debug: Enable debug messages
• trace: Enable trace messages (VERY verbose)
Simple searches
The two letter search options starting with ‘s’ are string search options. These options look for
matches via ‘contains’ logic rather than ‘begins with’ or similar. For example, if you search for
‘cache’, the following keys would match if they existed in the Registry hive:
• Muicache
• Cache items
• UnCAcHeD
Simple searches are not case sensitive.

To search for binary data in value data, simply string the hex characters you want to find together,
separated by dashes (04-00-EF-BE for example).
This allows you to find signatures for common data structures ANYWHERE in the Registry. The
binary signature used above is that of a BEEF0004 extension block, commonly used in ShellBags. It
contains information such as MAC dates/times, MFT info, etc.
When using the sd and ss switches, the value data or slack will be converted to its equivalent ASCII
and Unicode representation from the raw bytes. For example, if you searched for Ask, three searches
would actually happen:
1.For the ASCII string itself
2.Raw data converted to ASCII string. A case insensitive search against this string is performed. If
found, the position of the hit is used to extract the exact string that was hit on. This string is then
converted back to bytes and reported as a hit.
3.Raw data converted to Unicode string. The rest happens as in step 2.
This allows string searches to find data regardless of encoding or case. If data is found in encoded
form, the exact bytes making up the hit are highlighted. These bytes may differ from the searched
for string if the capitalization was different.
If the –Literal switch is used with sd or ss, then only the first search is done behind the scenes. This
allows you to look for specific byte patterns without RECmd interpreting raw data or slack to ASCII
or Unicode.
Regular expression searches
When the –RegEx switch is present, the search term used is treated as a regular expression. Regular
expression searches offer much more powerful capabilities to find things at the cost of having to
follow a more complex set of rules when building search terms. Another tradeoff is that it can be
slower depending on how complicated your RegEx is.
Enclose the RegEx in quotes to make sure the shell does not try to interpret anything in there.
As with simple searches, regular expression-based searches are case insensitive.
Regular Expression examples
Finding keys
To find all keys that contain ‘Microsoft.Bing’ followed by an F, H, or a W, then an o, use the following
search:
RECmd.exe -f "D:\temp\re\UsrClass 1.dat" --RegEx --sk "Microsoft.Bing[FHW]o”
Finding values
To find all values with names that contain either ‘AppName’ or ‘DisplayName’, use the following
search:
RECmd.exe -f "D:\temp\re\UsrClass 1.dat" --RegEx --sv "(App|Display)Name"
326 results were found, but due to the length of the output, only a few are shown below.
Notice that some of the hits are in red. This means they were recovered keys/values.
Finding data
To find all values whose data contains ‘URL:bing’ followed by either an m, h, or s, use the following
search:
RECmd.exe -f "D:\temp\re\UsrClass 1.dat" --RegEx --sd "URL:bing[mhs]"
For more examples, run RECmd.exe without any command line arguments.
All regular expressions must of course be valid .net regular expressions. Different flavors of RegEx
providers allow for different syntax, so be sure to use the proper syntax.
RegEx tutorials for .NET.
* https://msdn.microsoft.com/en-us/library/az24scfc%28v=vs.110%29.aspx
* http://regexhero.net/reference/
* https://msdn.microsoft.com/en-us/library/hs600312%28v=vs.110%29.aspx
* http://www.codeproject.com/Articles/9099/The-Minute-Regex-Tutorial
* http://www.systemtextregularexpressions.com/help
RegExBuddy is an awesome tool for building and testing RegEx against data sets.
Batch mode
Batch mode works by crafting a YAML formatted document and passing it into RECmd via the –bn
switch. Data will be saved to the directory specified by –csv. Batch mode also allows for the use of
plugins. These plugins are the same plugins as found in Registry Explorer and work the same way.
When used by RECmd, the data from the plugin will be normalized into a standard format for CSV
output. With that said, when a plugin is used to process a key or key/value, the data generated by the
plugin is also saved out to a CSV. In this way, it is very similar to exporting the data from Registry
Explorer (albeit to Excel vs CSV).
Several example batch file specifications ship with RECmd, but let’s take a look at one in more detail.
The specification for a batch file is as follows:

Header
• Description: A general description of what this batch file is going to find

• Author: Name of made this batch file (can me more too, like contact info)
• Version: A version number that should be incremented as changes happen
• Id: A unique (across all other batch files) GUID that identifies this batch file
• Keys: A list of things to look for
Keys collection
Each entry consists of:
• Description: A user-friendly description of what this key will find. Can be anything from the
key name to a friendlier description of what it means, etc.
• HiveType: The type of hive this entry corresponds to. Valid choices are: NTUSER, SAM,
SECURITY, SOFTWARE, SYSTEM, USRCLASS, COMPONENTS, BCD, DRIVERS, AMCACHE,
SYSCACHE
• KeyPath: The path to the key to look for
• ValueName: OPTIONAL value that, when present, is looked for under KeyPath
• Recursive: Whether to process KeyPath recursively or not
• Comment: Like Description in that you can add various things here that end up in the CSV
While the example above only includes NTUSER, you can mix and match as many different hive
types as you like (again, see the examples) so you can extract data from NTUSER hives, SYSTEM,
and SOFTWARE for example.
To use batch mode, supply the file to the –bn switch, along with –csv to tell RECmd where to save
results:
RECmd.exe --bn D:\Code\RECmd\RECmd\BatchExampleUserAssist.reb -f C:\Temp\NTUSER_-
dblake.DAT --nl --csv C:\Temp
We only searched a single hive here, but if we used -d vs -f, we could search entire directories for
hives to process.
This results in a few files being created, one for the batch data, which is named after the name of
the batch file passed in, and the other is named after the Plugin that was executed (Services) along
with the full path to the hive for that particular file.
This lets you know exactly what was found (Services) and where it was found (C:TempSYSTEM_-
loneWolf). If you had 10 NTUSER.DAT hives and 3 plugins ran on each, you would end up with 31
files generated, 1 for the main batch mode CSV, and 30 for the plugins.
The main batch mode CSV also contains a pointer to the detailed plugin CSV so if you do need to
drill down you can do so easily.
Version changes
For versions after 1.2.0.0, see ChangeLog at https://ericzimmerman.github.io
Version 1.2.0.0
NEW: Updated controls and nuget
NEW: Display deleted values with red gradient in values list
NEW: Display deleted values with non-resident data with purple gradient when the data record that
value points to has been reallocated to another cell somewhere else.
NEW: RECmd completely rewritten, adding support for plugins and batch mode
CHANGE: Updated back end Registry parser with tweaks and new features
CHANGE: Updated plugin interfaces to support batch mode in RECmd
FIX: Handle fringe errors related to save paths, loading bookmarks, etc
Version 1.1.0.0
NEW: Updated controls, move to Fody vs LibZ for single exe
CHANGE: Show slack tab when a plugin is used
FIX: Fixes for handle leaks
FIX: Handle NK record referencing deleted value per @errnofail’s research
FIX: Various tweaks and fixes
Version 1.0.0.0
NEW: Display warning when Header sequence 1 != sequence 2. this means the hive is dirty and
there are transactions in the log file(s) which has not been committed to the hive.
NEW: Updated controls and dependencies
NEW: For non-RegBinary values, display ‘Binary viewer’ tab which contains the value’s raw data.
NEW: When grouping in a grid, show the total number of items in the group in the header
NEW: Added plugins for Bluetooth, Bam, Dam, RecentApp, etc.
NEW: Detect dirty hives and offer to replay transaction logs (new format only) so the hive contains
all data contained in the transaction log(s).
CHANGE: RegNone values are treated like RegBinary and are shown in a hex viewer which allows
for interacting with bytes more easily
CHANGE: Merge some changes from other users to plugins (SAM)
FIX: Update existing plugins to support new cases (AppCompatcache), timestamp to UTC (Office),
etc.
Version 0.9.0.0
NEW: Added Raw Value property to non-RegBinary values that contains the bytes that make up the
value. This is useful for copying out into other programs like DCode, etc.
NEW: Plugins added for Known networks (SOFTWAREMicrosoftWindows NTCurrentVersionNet-
workList), WordWheelQuery, TypedURLs (including TypedURLsTime), Services, Terminal services
client (RDP history), DHCPNetworkHint,
NEW: Added Options | Convert selected | To ROT-13 in Find window. This allows for searching for
things ROT-13 encoded like UserAssist, etc without having to rely on a plugin
NEW: Added ‘# subkeys’ column to Registry Hives and Available bookmarks trees
NEW: Added ‘Selected hive’ to left side of status bar that tracks the name of the hive currently
selected. Double clicking copies full path of hive to clipboard
NEW: More bookmarks

NEW: Add indicator for ‘Deleted’ in search results
NEW: Added ‘Data interpreter’ option to Values context menu. This allows you to view and decode
the raw value data in a wide variety of formats (integer to EPOCH date, etc.)
NEW: Much better filtering options in trees and grid including Excel like filtering
NEW: Updated controls
NEW: Holding CTRL while right clicking a node in Registry hives tree will automatically expand
all child nodes (saves time over using context menu)
NEW: Project support added. You can now create projects based on currently loaded hives and reload
projects as needed
NEW: Add File | Unload all hives option
NEW: More data interpreter conversions
CHANGE: Allow for cell selection vs entire rows in Values grid
CHANGE: Allow for scrollbar on tree so all columns can be seen
CHANGE: User created bookmarks now show up in the Available bookmarks tab in Blue (bold) font
to differentiate them from Common bookmarks
CHANGE: Absolute path to active Registry hive is now prepended to Key path on Copy via context
menu in trees and to Value summary in Values grid
CHANGE: Add group membership and password hints to SAM plugin
FIX: Plugins updated based on test data
FIX: Save Datetime format and load it on subsequent starts
FIX: Bug fixes
Version 0.8.1.0
NEW: Change to .net 4.6
NEW: Added exporting of values to Excel, TSV, PDF, and HTML via key context menu (under Export
| Values). Data is exported exactly as shown in Values grid (this lets you hide columns, reorder, sort,
etc. before export)
NEW: Plugin support added.
NEW: Added View | Plugins to explore available plugins
NEW: Added Base64 to data interpreter under Strings section
NEW: Added Tools | Preferences
NEW: Option to show (and therefore export) RegBinary values as Base64 strings (enabled in Tools |
Preferences)
NEW: Option to show (and therefore export) value slack as Base64 strings (enabled in Tools |
Preferences)
NEW: Option to set custom date/time format for timestamps
NEW: For RegUnknown value type, show the actual value of the Registry Type in hex and decimal.
NEW: Ability to double click offset in hex viewers to jump to the offset in either decimal or hex
NEW: When a plugin is added for a key or value, make it the active tab
NEW: Hex viewer allows for selecting bytes and copying as hex, ANSI string (Windows 1252 code
page), or Unicode string
NEW: When exporting value data, offer exporting in binary or string format
NEW: Allow for searching for many terms at once vs one at a time in Find dialog
NEW: Change messages count background color to yellow when there are warning messages and
red when there are error messages. This color will be cleared when the Messages window is viewed.
CHANGE: Disable Bookmarks menu when on Available bookmarks tab
CHANGE: Clear any active filters before selecting bookmarked key
CHANGE: Set focus to last used search type on Find form
CHANGE: Sort bookmarks by name
CHANGE: Load hives when they do not have an nk record with a HiveRootEntry flag set. When
this happens, an alternate method is used to find the root key
CHANGE: Put the newest search history items at the top of the list
CHANGE: Don’t trust Header length when looking for hbins as sometimes Header length is wrong
CHANGE: Values grid filters use ‘contains’ vs ‘starts with’ as default
FIX: Add missing tooltip to Literal checkbox on Find form
FIX: Update hex position in hex type viewer when moving up and down rows vs only left and right
FIX: Correct issue when selecting hits in Find panel if the Registry keys tree was sorted when a
virtual key existed (Associated Registry keys for example)
FIX: Handle rare issue when building virtual keys for ‘Associated deleted records’ where there is an
active key and a recovered deleted key with the same name
FIX: Lots of tweaks and miscellaneous fixes
Version 0.7.1.0
RECmd changes
New: Added –Dir switch. This recursively searches for hives in a given directory and searches each
of them
Registry Explorer changes
New: Registry Explorer can now function as a “default application” in that you can associate RE
with *.dat and then double click hives. This also allows for setting up RE in other apps like X-Ways
as an external viewer, dragging and dropping hives onto RE shortcut/executable, etc.
New: Added Check for updates to About menu
Version 0.7.0.0
As of 0.7.0.0, Registry Explorer and RECmd are included together.
RECmd changes
NEW: Added –Literal switch. When present, –sd and –ss switches will not be interpreted
NEW: Added –ss switch for searching Value slack space
NEW: Search terms are now highlighted in search results. Edit nlog.config to adjust colors for
foreground and background
NEW: Added –RegEx switch. When present, treat <string> in –sk, –sv, –sd, and –ss as a regular
expression
NEW: If nlog.config is missing, add default config and warn user
CHANGE: Switches are NOT case sensitive any more
CHANGE: Remove RegEx specific switches (See –RegEx above)
CHANGE: Tweak command line option descriptions
CHANGE: Updated nlog

See here for changes in version 0.6.1.0.
Registry Explorer changes
This version is pretty much a complete rewrite under the hood. This was done to address
performance issues due to initial (bad) design decisions.
Hive processing is fully asynchronous, but very large hives can take a few seconds to display once
the hive is loaded. This is due to the need to load all
NEW: Full support for searching including key names, value names, and value data, both with simple
searches and RegEx. Searching based on last write timestamps is supported as well
NEW: Fully asynchronous loading of hives which keeps the GUI responsive, even when loading 100+
MB hives (I am looking at you SOFTWARE hive)
NEW: Tech details hex editors now update with offset and selection length when bytes are selected
NEW: Added value context menu to copy value summary (a combination of name, type, and data),
name, type, data, and slack to clipboard
NEW: Add value context menu to export data and slack to a file
NEW: Settings for things persist
NEW: Search strings are remembered and autopopulate when typing on the Find form. Use the Tools
menu to clear
NEW: Added Convert | To hex ASCII and To hex Unicode to Find. This allows you to look for
encoded strings in value data without having to manually convert strings to hex
NEW: Allow deleting of user created bookmarks in Bookmark Manager via Ctrl-Delete
NEW: Added context menu to Available bookmarks (Copy, expand/collapse, tech details) that work
the same as the ‘Registry hives’ context menu options
NEW: Added ‘Jump to key’ context menu item on Available bookmarks tab that will select the hive’s
key on the ‘Registry hives’ tab
NEW: More hot keys added to main/context menus
NEW: Added ‘Root key name’ to Tech details | Hive details properties and strip root key from Tech
details window title to save space
NEW: Added Export ‘Registry hive’ menu to File menu. This exports the tree exactly as it is shown
to the selected format
NEW: Enable/disable expand/collapse subkey options depending on the expanded state of the
selected key
NEW: Save positions of vertical and horizontal splitters
NEW: Trees and grids all save settings (sorting, filtering, conditional formatting rules) between
sessions
NEW: Save size of main form
NEW: Improved hex editor control for RegBinary keys. Added offset, selection length, and data
interpreter
NEW: Added ‘Show associated deleted records’ and ‘Show unassociated deleted records’ to Options
menu
NEW: Added ‘Slack viewer’ tab for values that have slack space
NEW: Added ‘Show parent keys when filtering’ to options menu. Turning this OFF shows only the
keys that match the filter. When ON, parent keys to keys matching the filter are also shown
NEW: Added a Total messages counter to lower status bar (far right) that indicates the total number
of messages available on the Messages form
NEW: Added skinning support. Active skin can be changed from the Options menu
NEW: Added icon for Registry hive in the Registry hives tree to visually separate it from keys
NEW: Make hive name bold to make it stand out from keys
NEW: Tech details info can be copied via Ctrl+C (just the value) or Ctrl+Alt+C (Name: Value)
NEW: All hex viewers now support Ctrl+C to copy selected bytes to clipboard
NEW: Search for minimum value sizes added
NEW: Search in value slack added
CHANGE: Allow resizing of window below 800x600
CHANGE: Drag and dropping of hives supported on any of the 3 main sections of Registry Explorer
CHANGE: Status bars adjusted. Added options to hold Shift when double clicking in order to copy
different parts of the key/value
CHANGE: Add vertical scroll bar to Technical details hex editors
CHANGE: Rename tree context menus from ‘child nodes’ to ‘subkeys’
CHANGE: Hide Messages form by default since things load and process faster when its hidden
CHANGE: Icon for existing key placeholder in Associated deleted records updated
CHANGE: Icon for Associated deleted records updated
CHANGE: Made legend icons bigger
CHANGE: Bookmarks manager now allows editing/deleted both common and user created book-
marks
FIX: Bug fixes in Registry parser (yay unit tests)
FIX: Show SK record in Technical details form
Version 0.2.0.0
NEW: Added new tab in upper left, Available bookmarks, that shows all available bookmarks across
all loaded Registry hives
NEW: Added ‘Technical details’ option to context menu. Use this to view all the down and dirty
details about a key including its bytes, its security key, subkeys, values, etc. This provides an easy to
use way to explore and validate Registry tools
NEW: Added several hotkeys for commonly used key context menu items
NEW: Allow exporting of keys either individually or recursively to .reg format via the context menu
NEW: Add ‘Collapse all hives’ button to status bar.
NEW: Added more bookmarks
CHANGE: Prevent illegal file name characters in category names (\, /, |, and so on). Any illegal
characters will be replaced with an underscore
CHANGE: Nlog logging added
CHANGE: Registry parsing is now ∼150% faster and memory usage reduced by 40-80%
CHANGE: Prevent the same hive from being loaded more than once
CHANGE: Expand the top level node after loading a hive
CHANGE: Hide or unhide all matching keys in all open hives vs only the active hive
FIX: When removing keys from auto hide list, remove any hidden keys in the tree that match as well
FIX: Actually export the timestamp when exporting Messages
FIX: GUI polish
Version 0.1.8.0
Initial release
Appendix A – Contributors
The following people have contributed in one way or another during the development and
refinement of SBE
• Devon P. Ackerman @aboutdfir

• David Cowen @HECFBlog
• Dan Pullega @4n6k
• Jerod Alexander @jerod
• Willi Ballenthin @williballenthin
• Maxim Suhanov @errno_fail
Appendix B – Additional resources
• http://binaryforay.blogspot.com/: Contains detailed postings on the internal workings of the

Registry
• https://github.com/EricZimmerman/Registry: Source code for the back-end parser used in
Registry Explorer
• https://github.com/EricZimmerman/RECmd: Source code for RECmd
• https://github.com/EricZimmerman/RegistryPlugins: Source code for all Registry Explorer
plugins
SDB Explorer
SDB Explorer Introduction
SDB Explorer is a tool created by Eric Zimmerman that can be used by forensic examiners to examine
shim database files (.sdb). Please check out Microsoft’s official documentation on Application
Compatability Databases here¹⁵⁹.
SDB Explorer
¹⁵⁹https://learn.microsoft.com/en-us/windows/win32/devnotes/application-compatibility-database?redirectedfrom=MSDN
SDB Explorer 291
Below is a screenshot of SDB Explorer with a shim database file loaded.
SDB Explorer with a loaded Shim Database

SDB Explorer 292
Using the Info -> Metrics menu, examiners can look at a visual representation of the data present
within a loaded shim datbase.
SDB Explorer’s Metrics Feature
SDB Explorer References
Blog Posts
Official Blog Posts
• Introducing SDB Explorer¹⁶⁰
Download SDB Explorer

SDB Explorer can be downloaded from https://ericzimmerman.github.io/#!index.md
¹⁶⁰https://binaryforay.blogspot.com/2018/02/introducing-sdb-explorer.html
Shellbags Explorer
Revision history
2014-11-21 Rev. 1 – Initial release
2022-07-25 Rev. 2 - Leanpub release
Requirements
ShellBags Explorer requires Microsoft .net framework version 4.5.1 full runtime or greater to be
installed. It is available at http://www.microsoft.com/en-us/download/details.aspx?id=40779.
What are ShellBags?

ShellBags are of great forensic value from Intrusion investigations to Malware Causality examina-
tions to timeline generation in that they are a perfect example of Locard’s exchange principle - “a
perpetrator will bring something into a crime scene and leave with something from it.”
By design, Microsoft® Windows may track a cyber intruder’s actions on a host system after
compromise if the actor uses RDP or other Remote Connection controls and/or Windows Explorer
to drop binaries onto the system, to access network resources, browse compressed archives, etc.
Additionally, all directory traversal done with Windows Explorer is tracked and maintained in the
registry. This data includes multiple timestamps and other pieces of information that provide context
Shellbags Explorer 294
and can be used to show knowledge and intent when it comes to accessing directories or other
resources on a computer.
From the anti-forensics standpoint, an absence of ShellBag entries may suggest system cleaning or
overt action by an end-user and potential sophistication of the actor. Lastly, bad actors are becoming
smarter every day - not every forensic examination will contain evidence in plain sight/allocated
space. ShellBags, along with other artifacts, may point to evidence that existed at one point in time
or may assist the examiner in looking at the broader picture when only a piece is known.
ShellBags are a set of Windows Registry keys located in NTUser.dat and USRClass.dat registry hives
(primarily usrclass.dat) that maintain view, icon, position, size (and other attributes) of folders when
using Windows Explorer. They are likely to persist information even when the original directories,
files, and physical devices have been removed from the system and due to this, can serve as a
“history” of sorts into data that was previously on a system but may have since been removed.
When combined with volume shadow copies (specifically, older copies of registry hives), significant
insight into a user’s activity can be gleaned.
ShellBags location in the registry

In Windows Vista and newer (including server operating systems based on the same technology),
ShellBag data is located in the following registry keys and subkeys:
* HKEY_CURRENT_USERSoftwareMicrosoftWindowsShellBags
* HKEY_CURRENT_USERSoftwareMicrosoftWindowsShellBagMRU (ntuser.dat)
* HKEY_CURRENT_USERSoftwareMicrosoftWindowsShellNoRoamBags
* HKEY_CURRENT_USERSoftwareMicrosoftWindowsShellNoRoamBagMRU
* HKEY_CURRENT_USERSoftwareClassesLocal SettingsSoftwareMicrosoftWindowsShellBagMRU
(usrclass.dat) (Found on disk at C:Users<profile_name>AppDataLocalMicrosoftWindows)
* HKEY_CURRENT_USERSoftwareClassesLocal SettingsSoftwareMicrosoftWindowsShellBags
SBE currently looks at the bold keys. The “Bags” keys are not looked at as they have been determined
to relate to window position, size, etc,
Using RegEdit to view ShellBag data

The regedit utility included with Windows can be used to view ShellBag data. After starting
regedit, navigate to the HKEY_CURRENT_USERSoftwareClassesLocal SettingsSoftwareMicrosoft-
WindowsShellBagMRU key (shown below).
On the left, registry keys are displayed. After selecting a key, the values for that key are displayed
in the right pane.
The values on the right correspond to ShellBags that are children of the selected key. In the screen
shot above, it is the BagMRU key. The BagMRU key represents the “Desktop” in Windows and all
ShellBags will exist under the Desktop. In other words, the Desktop is the topmost Shellbag.
ShellBag binary contents

Each ShellBag contains binary data that defines what the ShellBag represents. Double clicking on a
value will bring up an editor showing the binary data as seen below.
In the example above, the “0” value has been opened. The contents of the ShellBag are shown in
hexadecimal. The example above contains a GUID which corresponds to the “My Computer” folder.
There are hundreds of GUIDs that map to directories, control panel items and categories, etc. SBE
contains hundreds of GUID mappings to human readable formats.
Some ShellBags will contain strings (both ANSI and Unicode) representing things such as directory
names or UNC paths. In the image below, a directory named “Timelord” was accessed. The ‘short
name’ is highlighted in green and the ‘long name’ is highlighted in blue.
While not obvious, there are also several dates and times embedded in the binary data as well as MFT
entry and sequence numbers. It is also possible to determine the file system this directory existed
on based on the contents of the ShellBag. In the example above, the directory existed on an NTFS
file system with MFT Entry Number 332634 and MFT Sequence Number 20 and was last accessed
on 11/19/2014 at 8:47:52 PM +00:00!
MRUListEx
The MRUListEx value is the Most Recently Used list and reflects the order the ShellBags were opened
with the most recently opened bag being listed first. As ShellBags are opened, the MRUListEx values
are shifted to the right and the most recently opened value is added to the leftmost position.
Double clicking the MRUListEx value brings up an editor showing the binary data contained in the
value.
Each entry in the MRU list is 4 bytes long (little endian). In the image above, the first 4 MRU positions
have been highlighted with different colors.
Based on what is in the MRUListEx key above, the order the ShellBags under BagMRU were opened
is 0, 8, 3, 7, 5, 6, 4, 2, 1. The last entry in MRUListEx is always FF FF FF FF.
NodeSlot
There is also a NodeSlot value that links to a subkey under the Bags key. This subkey contains such
things as the sorting, icon size, and other properties for a given directory. The NodeSlot value is for
the currently selected key and not the ShellBags present under a given key.
Subkeys and their relation to values

In the screen shot on page 6, the BagMRU key has been expanded and circled in red. Under it are
subkeys 0-8. Notice there are also values with the same name on the right.
Subkeys with the same name as the value will contain child objects for that value. Recall each value
represents a ShellBag. A ShellBag can be the Desktop item, a Control Panel Category, a Control
Panel item, a drive letter, or a directory (there are other possibilities as well).
In the image above, the ShellBag with a value of 4 is the “parent” ShellBag for any ShellBags found
in the key with the same name. Selecting the key with name 4 results in the following.
As you can see, the pattern continues as we drill down into child keys. If we continue to drill down
we will eventually run out of child keys as seen in the next screen shot.
We know we are at the “bottom” because there are no more child keys and the MRUListEx value is
FF FF FF FF.
LastWrite times and their value in ShellBags analysis

Whenever a value is changed in a registry key, the key’s LastWrite timestamp is updated. Regedit
does not display these timestamps, but other forensic programs such as X-Ways Forensics or
TZWorks yaru can. When using yaru to look at the same key as shown above, we can see the key
was last written on 11/17/2014 at 18:14:40 UTC.
Using LastWrite values to determine First Explored and Last Explored dates
and times
Keeping in mind how LastWrite timestamps work, we can now determine when a given ShellBag
was accessed.
To determine the first time a ShellBag was explored, we can look for the “bottom” most keys and
use their LastWrite timestamps for the ShellBag in the parent key. Recall in the example above, the
key is “0” and the last write value is 11/17/2014 at 18:14:40.553 UTC. If we go “up” a level and select
the parent key of the bottommost key, we see a ShellBag value named “0.”
Note: This only works for the bottommost key and its corresponding value in the key’s parent. If a
child directory is browsed underneath the highlighted key above, it is not possible to determine the
first explored date for the intermediate folder anymore (but we would now know when the newly
browsed folder was viewed, assuming it was the bottommost directory navigated to).
To determine the last time a ShellBag was explored, we use the LastWrite timestamp in conjunction
with the MRUListEx value. Recall the first entry in MRUListEx is the most recently viewed ShellBag
in a given key. By looking at the LastWrite timestamp for a key, we know when the first entry in
the MRUListEx was last explored.
Since MRUListEx has its first entry set to a value of “4”, the ShellBag with the same value was last
explored when the “0” key was last written to. Since the MRUListEx value is updated as ShellBags
are accessed, the LastWrite timestamp is also updated.
More information on these concepts is available at http://www.4n6k.com/2013/12/shellbags-
forensics-addressing.html.
Why another ShellBags program?

Tools like RegRipper and sbags from TZWorks have processed ShellBags for quite some time now,
but ShellBags Explorer (SBE) is different in that it presents a visual representation of what a user’s
directory structure looked like. Additionally SBE exposes various timestamps such as First Explored
and Last Explored for a given folder, the file system where a directory existed, and so on. SBE also
contains a command line version which can produce output (while still including the additional
relevant timestamps and file system info, etc.) similar to sbags and RegRipper.
Capabilities overview
SBE is meant to be an all-inclusive tool for ShellBag artifacts. It negates the need for laborious
manual steps, decoding of data, and determining contextual relationships between directories, etc.
* Included support for all known Extension blocks and auto-detection of unknown blocks, unknown
ShellBag types, etc.
* Data interpreter to Hex view. As hex values are selected, the values update from the cursor’s
position.
* Support for NTUser.dat and USRClass.dat
* Consistent display of data for bags
* Ability to view all bags recursively to easily sort, filter, etc.
* Ability to ingest multiple registry hives and remove duplicate ShellBags. This allows for a
comprehensive view of directory access spanning the range of data in all registry hives.
* Ability to show what directories were accessed on CD and DVD media (and therefore showing
what drive letters were optical readers)
* And MUCH more
How does it work?

* The basis for SBE is Joachim Metz’s document, Windows Shell Item format specification, which is
available here http://goo.gl/rJXmLY. The specification outlines all known shell bag types and layouts
and is continually updated by Metz as new information is discovered.
* Certain shell bags contain other properties with complex layouts. These specifications are linked
in the document above.
SBE has been designed with features and capabilities such as unknown GUID detection, extension
block mismatches, etc. and has been used to contribute significant, previously unknown information
to the format specification for shell items. By automatically reporting anomalies in the decoding
process, these anomalies can be reported to the program developer in order to improve the
capabilities of SBE and thusly the forensic process in which SBE is used.
Why use ShellBags Explorer and not ShellBag (sbag) Parser by

TZWorks, MiTeC Registry Analyser or RegRipper?
Each of the three other tools are summary tools and none show you the contents of all (or nearly
all) bytes in ShellBags. In fact, some of them do not show certain bags at all. SBE parses hives that
crash other tools and report far more data than others as well. Additionally, only SBE (outside of a
hex editor) can truly be used to study what is inside ShellBags while at the same time representing
data in such a way that is visually similar to how the end user would have seen their file systems. By
representing ShellBags in a hierarchical fashion vs. a flat list, an examiner can more easily explore
and see directory structure and layout as the subject did. Additionally, SBE allows for filtering,
sorting and grouping far beyond the capabilities of Excel or similar tools.
Getting started
If you are reading this, it is assumed you already have ShellBags Explorer installed somewhere on
your machine. A default installation of ShellBags Explorer includes the following files:
* SBECmd.exe: The command line version of ShellBags Explorer
* ShellBagsExplorer.exe: The GUI version of ShellBags Explorer
Either version of ShellBags Explorer (SBE) can be used to process and examine registry hives. One
program does not rely on the other for SBE to function.
ShellBagsExplorer.exe
This is the GUI version of SBE. It provides deep insight into shellbag data in an easy to use interface
that resembles Windows Explorer.
To start SBE, open the SBE folder and double click on ShellBagsExplorer.exe.
Each of the sections above will be explored further in subsequent sections below.
Tree view
The tree view displays a Windows Explorer like representation of ShellBag data. There are menu
options under Tools to automatically expand and contract all nodes.
Left clicking a tree node

Left clicking a node will display details of the selected node in the Details view pane. Additionally,
all child bags of the selected node are displayed in the grid view.
Right clicking a tree node

Right clicking a node in the tree will recursively load all child nodes of the selected node. The nodes
are displayed in the grid view.
Grid view
The grid view displays all ShellBags located below the selected node in the tree, or, in the case of
recursive viewing, a list of all ShellBags located below the selected node and all child nodes of those
nodes.
Left clicking a grid entry

Left clicking a node in the grid view will display the details of the ShellBag in the Detail view. The
hex view will also be updated to reflect the binary contents of the ShellBag.
Right clicking a grid entry

Right clicking a node in the grid view will select that node in the tree view. This is handy when
viewing nodes recursively to see where in the directory structure a particular node lives.
Details view
After a ShellBag is selected, the details view pane displays all known data about the selected ShellBag.
This includes basic information as well as extension blocks, MFT information, file system hints, raw
hex content, and so on.
Hex view
After a ShellBag is selected, the hex view will contain the raw hex content of the selected ShellBag.
To the right of the hex display is a data interpreter that is updated in real time as data is selected in
the hex editor. This allows for verification of data in both the grid and details view.
Status bar
The status bar on the bottom contains various details about the loaded hive, whether or not a filter
is active (including the number of visible rows vs. the total) and if there are any updates available
to SBE.
Menus
File
The File menu allows for loading either the live registry information or an offline hive. When loading
an offline hive, the user will be prompted for the location of the hive file to load.
More information is available when browsing an offline hive than browsing the live registry. This
is because as of SBE version 0.5.0.0, the LastWrite timestamp for registry keys is not available when
looking at the live registry. The live registry option can be used to explore ShellBags from the live
machine during training, research, and so on.
Export submenu
Once SBE has loaded a hive, the File menu also allows for exporting of the data in one of several
formats.
* CSV: All available columns will be exported
* Excel: The visible columns in the Grid view are exported.
* json: All data is exported in json format.
NOTE: You can customize the columns shown in the grid view by clicking the field chooser icon
in the upper left corner of the grid (this is explained in more detail in an upcoming section). This
allows you to hide or show whatever columns you choose to make your work easier.
Tools
The tools menu contains options to expand and contract tree nodes, show the messages window, or
set the time zone to be used when displaying dates and times. The messages window is displayed
automatically as messages are generated.
A time zone must be selected before selecting a source for ShellBags (the live registry or an offline
hive). By default, UTC is used for all dates and times.
Help
Quick help provides basic information on how to use SBE. About contains version information and
contact information for the developer.
Workflow overview
After selecting either the live registry or an offline hive, SBE will display a summary of the types of
ShellBags that were found as seen below.
In the image above, notice 331 ShellBags were found in the registry and 331 ShellBags were processed.
Should there be a situation where the number of ShellBags found is not equal to the number of
ShellBags displayed by SBE, the summary screen will be different to reflect this fact.
Messages window
If there are any errors when processing ShellBags, the Messages window will be displayed.
Selecting a message will show the details for that message in the lower pane. All messages can be
exported or cleared using the buttons in the lower right corner.
The Messages window can contain both errors and informational messages. Informational messages
will be displayed when unknown GUIDs are found, new extension blocks are discovered, or there
is a mismatch between the number of extension blocks in a ShellBag and the number of parsed
extension blocks (these concepts will be elaborated on soon).
NOTE: You can quickly jump to the ShellBag related to the message by double clicking anywhere
on a row. This will select the ShellBag in the tree so it can be reviewed as needed.
Tree view
The tree view will also be updated. As seen earlier, the starting point for ShellBags is the Desktop
folder.
Expanding a node displays its children. In the image below, several child objects have been expanded.
Each different kind of ShellBag is represented by a different icon. In the example above we see icons
for directories, GUIDs, control panel categories, drive letters, and user application data. This helps
you quickly visualize what kind of ShellBags are available.
As mentioned above, left clicking selects a given node in the tree and displays child bags in the grid
view. Right clicking a node will select that node and expand all child nodes and display all bags
under the selected node in the grid view.
In the example above, D: has been recursively explored. Notice the icon now shows a blue down
arrow indicating the node is being explored recursively. Exploring recursively lets you drill down
into specific areas of interest and, as we will soon see, easily search for things across a given set of
ShellBags.
ShellBag parsing errors

Should any errors occur when parsing ShellBags, a placeholder for the ShellBag will be added as
shown in the image below. Some details for the unparsed ShellBag will be displayed in the Details
pane. The Hex view allows for reviewing of these ShellBags for relevant data and a message is added
to the Messages window when this occurs.
By adding a placeholder for ShellBags with parse errors, any child ShellBags of the unparsed
ShellBag will be still be visible in the proper context.
Grid view
As nodes are selected in the tree view, the grid view is updated to show the child ShellBags of
the selected node. In the case of recursive viewing, all child bags from the selected node down are
displayed in the grid view.
The grid view serves as a way to view Shellbags in a consistent manner. Not all bags have data for all
of the columns, but for the most part the columns available in the grid view provide a homogeneous
view of ShellBags. Because of this, common features of different bag types can be grouped on, filtered,
sorted by, etc.
Customizing grid view columns
Clicking in the upper left corner of the grid view allows for customizing the fields displayed in the
grid.
Column definitions
SBE supports the following columns as of v0.5.0.0:

* Absolute path: The absolute path from the Desktop to the location of the shell bag
* Accessed on: The access date as stored in the ShellBag
* Bag path: The path to the ShellBag relative to the BagMRU key
* Child Bags: Number of child bags of the parent bag key
* Node Slot: The NodeSlot value for the selected ShellBag
* Created on: The created date as stored in the ShellBag (usually based on MFT data)
* Ext. block count: The total number of extension blocks found in this shell bag
* Extension blocks: The names of unique extension blocks found in the shell bag
* First Explored: When available, the timestamp a folder was first explored
* Icon: A visual identifier for the shell bag
* Last Explored: When available, the timestamp a folder was last explored
* Last Write Time: Only available when loading an offline hive, this is the timestamp the ShellBag
KEY was last updated.
* MFT entry
* MFT Seq. number
* Miscellaneous: Used to report additional items of interest about shell bags as needed. This is
primarily used to report the type of file system an item was located on
* Modified on: The modified date as stored in the ShellBag
* MRU: The Most Recently Used position of the bag
* Slot: The shell bag’s numerical identifier in its parent key
* Type: The human readable description of what kind of data the shell bag represents (file, folder,
etc.)
* Type ID: The hexadecimal identifier for the shell bag. This is found in offset 0x02 in the hex that
makes up a shell bag.
* Value: The name of the file, folder, property view, etc. for the shell bag. This is the primary identifier
for a shell bag.
Note: The MFT entry and sequence number can be used to determine the file system a particular
bag came from:
* If entry number > 0 and sequence number > 0, then the file system is NTFS.
* If entry number > 0 and sequence number == 0, then the file system is FAT. (Further checks against
the accuracy of Last Access is then done to determine FAT vs. exFAT)
When applicable, the Miscellaneous column will indicate which file system the ShellBag target
originated from. Thanks to David Cowen for this idea and for testing.
Changing column order
Column order can be adjusted by dragging and dropping columns to new positions in the grid. Any
changes are persisted.
Interacting with the grid
The grid view can be used to sort, filter, and group ShellBags.
Sorting
To sort, simply click a column header. Click it again to sort in reverse order. To sort by more than
one column, click the initial column to sort by, then hold SHIFT and click on another column. The
second column will be sorted while the first column retains its initial sorting.
Filtering
At the top of each column is a filter cell. In the image below it is highlighted in yellow.
Clicking on this cell and typing will immediately filter that column to only items containing the
entered. To the left of the cell is a button with options on how the filter should work. The default is
“contains.”
There are also dropdowns which contain all unique entries in the column plus options to add custom
filters to the list. To the right of each cell is a button that can be used to clear that column’s filter.
To the far right of the filter row is a button that can be used to clear all filters.
Grouping
At the top of the grid is an area where one or more column headers can be dragged. As columns are
dragged and dropped, each unique value in the selected column will be used to create a group.
In the example above, the “Type” column was grouped. Clicking on a plus sign expands that group.
Clicking the minus sign collapses it.

After grouping, columns can be sorted as we saw earlier, by clicking on the column header.
To group more than one column, drag them to the group area.
In the example above, we first grouped by type, then by MRU. This can be useful to see a list of all
the most recently accessed directories (i.e. all the ShellBags of type directory where MRU == 0) .
To “undo” grouping, drag the columns back into the main grid area at any location.
Selecting bags in grid view

Left clicking a bag will select that bag and display that bag’s details in the details view (described
below). After selecting a bag via left clicking it, you can jump to that bag by right clicking it.
In the image below, we are recursively viewing the bags at and below D:.
Notice the D: drive is highlighted in the tree view and the details view reflects this. If the bag with
value “GOON2” is left clicked, then right clicked, notice the tree view is updated and the “GOON2”
bag is highlighted and the grid view is updated to show the child bags of the GOON2 bag.
The details pane is also updated with the newly selected bag in the tree view. Clicking the “Queue”
bag in grid view will update the details view to the “Queue” bag.
Details view
The details view contains all known ShellBag information in human readable (and hopefully
consumable) format. Binary data is converted to timestamps, strings, numbers, and other structures.
ShellBags in general have the following structure (For an exhaustive breakdown of ShellBag
binary layouts, including extension blocks, see the Metz document referenced above
(http://goo.gl/rJXmLY)):
* Offset 0-1: Size of the ShellBag
* Offset 2: Type indicator
* Type specific data
The type specific data contains things as timestamps, file attributes, strings, and extension blocks.
Extension blocks contain additional data relevant to a ShellBag which can be used in different
ShellBags. Because of this, extension blocks have their own formatting that is consistent across
bags.
Extension blocks can be identified by a unique signature, BE EF 00 XX, where XX varies on the type
of extension block. In the image below, the beginning of a BEEF0004 block is highlighted. Since the
data is stored in little endian format it has to be read “backwards.”
Extension blocks in general have the following format:

* Offset 0-1: Size of extension block
* Offset 2-3: Extension version
* Offset 4-7: Extension signature
* Offset 8+: Extension specific data
In the image above, we can see:
* Size = 0x48, or 72 decimal
* Version = 0x9
* Signature = 0x0400EFBE, or when converted BEEF0004 (start from the right and read left)
* After the signature the extension block specific data begins. BEEF0004 denotes a file entry extension
block and as such we can recover creation and last access timestamps (FAT format), the version of
Windows (Vista, 7, 8, etc.), long and short directory names, and MFT related information.
As SBE processes ShellBags, all of this binary data is interpreted and stored in different objects that
make up the ShellBag, so rather than seeing a string of hexadecimal characters, SBE represents bags
using common structures like Value, type, and so on (the fields, in general, as reflected in the grid
view).
All available information about a bag is visible in details view, even when a bag contains data that
cannot be abstracted into a grid view. For example, in some cases a bag may have 4 BEEF0004 blocks
(and therefore 4 sets of timestamps, MFT info, etc.) and the details view allows you see all that data.
An example of the full details of a ShellBag representing a directory is shown below.
Here we can see the short name, MAC dates and times, full bag path, the absolute path, and the first
explored date.
Note: The Last Write Time of the PARENT key (BagMRU\0\2\0\3\0) this ShellBag lives in is
11/17/2014 9:26:46 PM +00:00, but the First explored timestamp is 11/17/2014 9:25:46 PM +00:00. This
is because First explored is determined by the last write date of the “bottom” key corresponding to
BagMRU\0\2\0\3\0, Slot 0. The key for this bottom slot is not shown but the Last Write timestamp is
collected and applied to the relevant bag.
Additionally we can see that the file system is NTFS. This can be determined since we have both an
MFT entry and sequence number.
Some ShellBags contain embedded property sheets. These are another data structure commonly
seen in various Windows artifacts and essentially are key/value pairs. In the example below, the
bags related to the Control Panel have been expanded.
After selecting the “Set Program Associations” bag, its details view contains:
Here we can see the various property sheets and the data contained therein. Notice that now it is
possible to tell not only WHEN program associations were changed, but WHAT program was used
to take over those associations.
Finally, the bottom of the details view contains the raw hexadecimal data.
Hex view
The hex view contains the raw hexadecimal data of the selected Shellbag. It is displayed in traditional
hex editor style in read-only mode.
To the right of the hex data is a rough interpretation of the data. A few strings can be seen in both
ASCII and Unicode format. As the position of the cursor is changed by clicking on hex values, the
data interpreter updates in real time.
Data interpreter
The data interpreter assists in decoding the contents of ShellBags when manual verification is desired.
As the cursor is moved to different offsets, the interpreter updates in real time and shows different
interpretations of the data FROM THE POSITION OF THE CURSOR IRRESPECTIVE OF ANY
SELECTED BYTES.
In this example the cursor is at offset 0x8 and we see the DOS date is showing 4/24/2014 1:09:08 PM
+00:00 which corresponds to the Modified timestamp.
In the next example we can see the data interpreter has found a GUID for the Control Panel at offset
0x4.
By using the data interpreter to explore ShellBags you can begin to see common patterns including
timestamps, extension blocks, property sheets, and so on.
NOTE: The data interpreter will show certain fields in bold based on certain conditions:
-A GUID is found that maps to a known location

-A timestamp where the calculated datetime > Now - 10 years AND calculated datetime < Now + 5
years.
These provide visual cues that a valid timestamp or GUID may have been found.
Finally, the data from the data interpreter and its corresponding ShellBag details can be copied to the
clipboard by double clicking the designated area at the bottom of the data interpreter. An example
is shown below of what this data may look like once copied into a text editor.
SBECmd.exe
SBECmd.exe is a command line version of ShellBags Explorer that will automatically process hive
files and export the results to TSV. The command line options are shown below.
Processing multiple, unrelated hives

After exporting one or more hives to a directory, execute SBECmd.exe as follows:
SBECmd.exe -d <directory>
A new directory underneath <directory> will be created called ‘Out’ which will contain the TSV
reports generated by SBECmd.exe. An example run is shown below.
If SBECmd.exe encounters any errors processing hives, they will be reported to the console and to
‘!SBECmd_Messages.txt’ in <directory>Out
Processing multiple, related hives

In certain cases you will have multiple registry hives from the same user. These hives may be found
in volume shadow copies, carving, etc.
SBECmd can also deduplicate ShellBags across multiple registry hives via the –dedupe switch.
This is useful when processing many hives from a given user and eliminating duplicate shellbag
entries. Uniqueness is determined from the following data in a ShellBag: BagPath, Slot, MRUPosition,
Value, CreatedOn, ModifiedOn, AccessedOn, MFTEntry, MFTSequenceNumber, FirstExplored, and
LastExplored. These values are combined and then SHA-1 hashed. Only one copy of a ShellBag with
a given SHA-1 hash is reported and the rest are discarded.
After exporting one or more hives to a directory, execute SBECmd.exe as follows:
SBECmd.exe -d <directory> –dedupe
A new directory underneath <directory> will be created called ‘Out’ which will contain the TSV
report named ‘Deduplicated.tsv’. An example run is shown below.
Time zone support

Like its GUI counterpart, SBECmd can adjust all dates and times to a user selected time zone. The
default time zone is UTC, but a different time zone can be selected via the –timezone switch. Enclose
the timezone in quotes. An example is shown below.
The TSV file(s) will now reflect the selected time zone, including any adjustments for daylight
savings time.
General usage tips and tricks

(misc stuff here) cdburn etc
Version changes
Version 0.6.0.0
NEW: Added NodeSlot info. This column is hidden by default in the grid, but will always be shown
in Details view
CHANGE: Updated registry parser code (∼150% faster and significant memory reduction)
FIX: Correct FAT vs exFAT file system hint in BEEF0004 blocks
FIX: Correctly detect end of ShellBag in C3 bags
Version 0.5.0.4
NEW: Build for AnyCPU vs forcing x86.
NEW: Add icon for “History folder” ShellBag type
NEW: Allow hives to be dropped on Hex view
NEW: Added millisecond precision to timestamps that have that level of resolution. These times-
tamps are visible in the details pane
NEW: Added support for http URLs in variable blocks.
NEW: Added ability to double click on Data Interpreter to copy values on Interpreter plus ShellBag
details to Clipboard
NEW: FILETIME and DOS Date fields in data interpreter will be bolded if the calculated date > Now
- 10 years AND calculated date < Now + 5 years. This provides a visual cue a valid timestamp may
have been found.
NEW: GUID field in the data interpreter will be bolded if the calculated GUID maps to a known
value
NEW: Count all ShellBag registry values seen and compare to the number of ShellBags processed.
If seen != processed, show warning on summary screen as data is missing
NEW: Added Placeholder extension block which is used to “pad” main ShellBags when they contain
additional ShellBag items (Bags containing bags). Placeholder bags are not printed to the details pane
NEW: Added detection of Beef0010 blocks in 0x71 ShellBags.
NEW: Added detection of Beef0010 blocks in 0x2f ShellBags.
NEW: Added ability to double click on a row in the Messages window which will select the related
node in the tree on the main window
NEW: Add GUID for OneDrive on Windows 10
NEW: Detect drive letters in 0x1F ShellBags.
CHANGE: Detect optional Beef0004 extension block in CDBurn ShellBags
CHANGE: Look for common signatures in several bags and act accordingly
FIX: Detect several fringe cases and set value to “!!! Unable to determine value !!!”. These need more
research for full support
FIX: Remove early return in 0x4d bag which resulted in the ShellBag not displaying properly
Version 0.5.0.3
NEW: Add new ShellBag type, ShellBagParseError, that is used as a placeholder when ShellBag
contents aren’t parsed properly.
Version 0.5.0.2
NEW: Added support for 0x61 bags (FTP). Connection date and username (when saved) are reported
NEW: Added support for Variable: FTP URI ShellBags. These show directories browsed on an FTP
server and in many cases contains the timestamp on the FTP folder
CHANGE: More support for contents in BEEF000e extension blocks
CHANGE: Improve message when BagMRU key isn’t found in a hive.
CHANGE: Updated drive letter icon to a hard drive vs green folder
CHANGE: Expand and collapse nodes now affects the selected node vs all nodes.
FIX: Some GUI fixes (when using expand/collapse nodes remove recursive icon)
Version 0.5.0.1
FIX: Remove recursive icon when right clicking an entry in the grid
FIX: Minor manual updates
Version 0.5.0.0
NEW: Completely rewritten manual
NEW: Added Time zone setting to Tools menu. Change the time zone BEFORE processing a hive to
have all dates automatically adjusted for the selected timezone
NEW: Added –timezone command line argument to SBECmd.exe. Use –timezone=”” for a list of
valid time zones
NEW: Added –dedupe option to SBECmd. This will process all hives in a directory and remove any
duplicate bags. See –help for details
FIX: Adjust Beef0025 version offset to always pull the right offset.
Version 0.4.3.0
CHANGE: Switch from CSV extension to TSV for easier processing in Excel without having to
import manually
FIX: Minor fixes to command line version if source directory is missing
Version 0.4.2.0
FIX: Correct file system hint in details pane misreporting file system. The value in Misc column was
correct but in some cases the details pane misreported the file system type
Version 0.4.1.0
NEW: A shiny manual is now included
NEW: CSV output has been added. You can optionally include the raw hex from bags as well
NEW: Added SBECmd.exe which is the command line version of SBE.
NEW: Added FirstExplored column to grid and details section (when available)
NEW: Added LastExplored column to grid and details section (when available)
NEW: More GUIDs (Windows 10, RealPlayer Cloud, etc)
NEW: Added support for ShellBags with TypeID 0x01 special case
NEW: You can now drag and drop an offline hive on the grid, tree, or details pane to load
NEW: Added note to Miscellaneous column denoting what file system a bag came from based on
MFT information (Thanks to David Cowen for idea and testing)
Version 0.3.9.0
NEW: Added icon for CDBurn bags
NEW: Added CTRL-A and CTRL-C functionality to main grid. This lets you quickly select all rows
and copy selected rows to clipboard
NEW: SBE now remembers its size and will restore the last size on startup
CHANGE: Add detection of certain special signatures earlier in the process as these types of bags
can occur in different places (CDBurn, etc)
CHANGE: Rename “Variable: CDBurn” to “CDBurn” since they can be seen in different places
Version 0.3.8.0
NEW: Added operating system information for beef0004 blocks based on Identifier property. 0x14
⇒ Windows XP, 2003 | 0x26 ⇒ Windows Vista | 0x2a ⇒ Windows 2008, 7, 8.0 | 0x2e ⇒ Windows 8.1
NEW: Report unmapped GUIDs to messages window
NEW: Added support for 0x35 identifiers, which contain Unicode strings vs ascii
NEW: Added support for ShellBag with type ID 0x64 and 0x65. These refer to browser history folders
NEW: Even MORE GUIDS!!!!!1
CHANGE: Improvements to message form details pane
CHANGE: Hide InternalID and HexView from grid field chooser
FIX: Deal with improperly terminated Unicode strings so a ? isn’t displayed as the last character
FIX: Handle embedded property stores in 0x71 (Control panel bags) vs reporting unknown GUID
FIX: Lots of fringe case cleanup
Version 0.3.7.0
NEW: Report unknown type IDs to Messages window so they can be reported
NEW: Added support for Beef0010 extension block. This block contains property store data. Vector
data in one of the sheets looks to contain additional property stores with additional data. More work
to be done here
NEW: Added support for Beef0021 extension block. This block has been seen to contain the URL
where files have been downloaded from
NEW: Added support for Beef0016 extension block. This looks to contain what was searched for (ie
*.inf)
CHANGE: Do not force ‘Last write time’ column visible when loading an offline hive
CHANGE: Added more GUIDs
FIX: Don’t crash when grouping and a group is selected
Version 0.3.6.0
NEW: Pull extension blocks out of property sheets in 0x00 and 0x1F ShellBag types. These appear
to be the results of searches. More research is needed to confirm
CHANGE: Clean up some messages
Version 0.3.5.0
NEW: Added ‘Absolute path’ to grid which contains the full path from the Desktop to the bag item
NEW: Added a few dozen more GUIDs
NEW: Alternate row colors in Messages window

NEW: Added exporting of messages to Excel via button on Messages window
NEW: Added ‘Clear messages’ button to Messages window
CHANGE: Made column headers look nicer by adding spaces (it’s the little things sometimes)
CHANGE: Tweak Messages window to allow for message type, message, and details view to
unclutter the display
CHANGE: Recoded Root folder shell item ShellBag type (0x1f) to find and add multiple extension
blocks
CHANGE: Expand hex view to fill more space and move data interpreter to far right
CHANGE: Show wait cursor while doing things vs arrow
CHANGE: Add detection of bags related to zip file contents early vs inside each known bag type.
This prevents a lot of future “unknown” types going forward
Appendix A – Contributors
The following people have contributed in one way or another during the development and
refinement of SBE
* SA/FE Devon P. Ackerman devon.ackerman@ic.fbi.gov, sadevonackerman@gmail.com
* David Cowen @HECFBlog
* Harlan Carvey @keydet89
* Dan Pullega @4n6k
* Mark Woan @woanware
Appendix B – Additional resources
* http://msdn.microsoft.com/en-us/library/aa965725%28v=vs.85%29.aspx
* https://code.google.com/p/libfwsi/wiki/ShellFolderIdentifiers
* https://docs.google.com/file/d/0B-VYGsDJPtZlVDNJQ3pWX0M1b1k/edit
* http://www.4n6k.com/2013/12/shellbags-forensics-addressing.html
* http://www.williballenthin.com/forensics/shellbags/index.html
TimeApp
TimeApp Introduction
TimeApp is a tool created by Eric Zimmerman that provides multiple functions: current time,
stopwatch, countdown timer, and current IP address.
TimeApp Screenshots
TimeApp 337
TimeApp References

• https://github.com/EricZimmerman/timeapp is the GitHub repository for TimeApp
Download TimeApp
TimeApp can be downloaded from https://ericzimmerman.github.io/#!index.md
Timeline Explorer
Timeline Explorer Introduction
Timeline Explorer is a tool created by Eric Zimmerman that can be used by forensic examiners (or
anyone) to ingest CSV files (and a few other filetypes). Timeline Explorer can handle large files
(over 14GB) and provides a user friendly experience for dealing with data contained within CSV
files. Timeline Explorer can have multiple files open at a time (over 300) and contains many familiar
keyboard shortcuts to move through analysis more efficiently.
Timeline Explorer uses Plugins¹⁶¹ that will allow Timeline Explorer to ingest multiple filetypes.
The benefit of these Plugins allows for the Line and Tag columns to be populated for the various
supported file types as well as other enhancements to boolean (True/False) and timestamp values.
Supported File Types

Timeline Explorer supports the following filetypes:
• .csv
• .tsv
• .xlsx
• .txt
Timeline Explorer only runs on Windows due to the .NET Desktop Runtime¹⁶² currently only being
available for Windows and not macOS or Linux.
Ingesting Excel Spreadsheets (.xlsx)

Please note, when you ingest an Excel spreadsheet with multiple sheets, only the first sheet will load
within Timeline Explorer. All other sheets will be ignored.
¹⁶¹https://github.com/EricZimmerman/TLEFilePlugins
¹⁶²https://dotnet.microsoft.com/en-us/download/dotnet/6.0
Timeline Explorer 339
Timeline Explorer Features
File Menu
The File menu has a couple of noteworthy features that we’ll cover in this section
Timeline Explorer’s File Menu
Sessions
When you have multiple CSVs ingested into Timeline Explorer, you can save a session which will
open all the same files that are opened at the time of session save. Timeline Explorer will create a
.tle_sess file which is simply a JSON file that will look similar to the example below:
{
"SessionFiles": {
"C:\\temp\\20220913030423_RECmd_Batch_Kroll_Batch_Output.csv": [
],
"C:\\temp\\20220913030450_RECmd_Batch_Kroll_Batch_Output.csv": [
]
}
}
Opening this particular session file will instruct Timeline Explorer to open the files specified.
Additionally, any tagged rows will persist when saving and reloading sessions.
Export
Timeline Explorer can export an opened file as CSV or XLSX. This may be helpful where if you have
a CSV file ingested but want to export it as XLSX, or vice-versa. Please note, the Export function
is WYSIWYG, so whatever data is visible due to active layouts, filters, sorting, etc will be what is
exported.
Tools Menu
Timeline Explorer offers multiple useful features within the Tools menu.
Timeline Explorer’s Tools Menu

Find
Timeline Explorer provides an incredibly useful Find window where examiners can search for terms
amongst all open files. The below example shows the term microsoft and the amount of hits within
each open file. Double-clicking on a search result will warp to the file in question and automatically
filter on the search term.
Timeline Explorer’s Find Window
Right-Click to Copy
One of the most convenient features Timeline Explorer offers is the ability to carry out copy
functions with a simple right-click of the mouse. This allow for minimal, if any, interaction with a
keyboard when copying data from a file opened in Timeline Explorer. Every click saved matters!
Copy Column Headers When Copying
This can be useful for when headers need to be copied out of a file that’s open within Timeline
Explorer.
Groups
Timeline Explorer allows examiners to grab a column header and drag above to the box which
contains the text Drag a column header here to group by that column, as seen below.
An Example of the Grouping by Column Header Workflow in Timeline Explorer
Grabbing the Time Created column header and dragging it into the blank area above the column
headers will create a grouping that can be very helpful during everyday analysis.
RECmd
Below is an example of grouping RECmd output by the Hive Type column.
Grouping Columns in Timeline Explorer
When pushing CTRL+K, the Hive Type groups will collapse which can then be expanded with CTRL+M.
EvtxECmd
Below is an example of grouping EvtxECmd output by the Map Description column.
Timeline Explorer with Multiline Tabs Enabled

Below is an example of stacking column headers to form a complex grouping.
With this particular grouping, examiners can see how many overall events resides in the Secu-
rity.evtx file as well as how many events exist within each Provider that logs to that particular
.evtx file.
Tagging
As long as there are Line and Tag columns visibile for a file ingested into Timeline Explorer,
examiners can take advantage of the Tag feature. Rows that contain data of interest can be tagged
by checking the box in the Tag column. This can be useful for when analysis is complete on a given
file to where an examiner is ready to filter on only the rows of interest. This can be done by filtering
on the Tag column for checked boxes only. This will allow for all untagged rows to disappear and
only rows that were tagged by the examiner will appear.
Multiline Open Tabs
Below is an example of Timeline Explorer with Multiline Tabs enabled.

Below is an example of Timeline Explorer with Multiline Tabs disabled.
Timeline Explorer with Multiline Tabs Disabled
Clear Filters
CTRL+E is one of the most useful keyboard shortcuts in Timeline Explorer. Regardless of how many
filters are applied by an examiner, this shortcut will clear them all.
Applying Value as a Filter
CTRL+SHIFT+F is another useful keyboard shortcut available in Timeline Explorer. When a given cell
is highlighted in Timeline Explorer, this keyboard shortcut will allow for the value within that cell
to be applied as a filter in the column it resides in. The filter type can be changed once the value is
populated in the column header filter box.
Reset Column Widths
As examinations progress, columns get resized and it can be a pain to manually resize the columns
back to a reasonable size. CTRL+R provides the quickest method to reset all columns to their default
width.
Tabs Menu
The Tabs menu provides examiners with an overview of all files opened within a Timeline Explorer
instance.
Timeline Explorer’s Tabs Menu
In addition to providing an easy way to see a massive amount of tabs open within Timeline Explorer,
this box also serves as a search box so you can filter on a specific open file that you want to analyze.
Searching within Timeline Explorer’s Tabs Menu

View Menu
The View menu provides helpful information when trying to troubleshoot issues with Timeline
Explorer.
Timeline Explorer’s View Menu

Messages
Timeline Explorer offers a Messages window that can provide insight as to how long a file takes
to ingest into Timeline Explorer, which plugin was used to process a file during ingestion, and
error messages that may come up while ingesting unsupported output. As always, toggling Debug
Messages will provide much more verbose messaging in this window but it will also likely drastically
slow the ingestion of a file.
Timeline Explorer’s Messages Window

Help Menu
Timeline Explorer provides helpful resources within the Help menu.
Timeline Explorer’s Help Menu

Quick Help
Below is the information located in Help -> Quick help.
Timeline Explorer’s Quick Help

Legend
When ingesting Super Timelines, the following Legend can prove to be helpful.
Timeline Explorer’s Legend for Super Timelines

Conditional Formatting
Custom Conditions
Timeline Explorer’s Conditional Formatting -> Manage Rules Location

Manage Rules
Timeline Explorer allows for examiners to set conditional formatting for certain criteria within rows,
columns, and/or cells. This can be done using the Manage Rules menu.

Clicking on Manage Rules will bring up this Rules Manager window.

Example Rule
Clicking New Rule in the top left will bring up the following window.

Below is an example of what highlighting every row containing the string successful in the Map
Description column looks like.
Highlighting Every Row That Contains “Successful”
Diving deeper into the Rules Manager will show the settings for applying this conditional formatting
to every row containing the desired string.
Example Rule Part 1

Using the bottom formula option allows the examiner to craft a filter similar to the filter editor used
in the main Timeline Explorer window.
Example Rule Part 2

Timeline Explorer Settings

A TLE_settings.xml file is located within .\TimelineExplorer\Settings which stores user pref-
erences in XML format. These are effectively storing the preferences for the options that can be
modified by the user within the Tools menu. An example can be seen below:
1 <?xml version="1.0" encoding="utf-8"?>

2 <Settings xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.\
3 datacontract.org/2004/07/TimelineExplorer.Classes">
4 <CopyColumnHeaders>
5 false
6 </CopyColumnHeaders>
7 <CopyRightClick>
8 true
9 </CopyRightClick>
10 <DateTimeFormat>
11 yyyy-MM-dd HH:mm:ss.fffffff
12 </DateTimeFormat>
13 <DetailsOnTop>
14 false
15 </DetailsOnTop>
16 <FirstPinnedColumns xmlns:d2p1="http://schemas.microsoft.com/2003/10/Serialization/\
17 Arrays" />
18 <FontName>
19 Consolas
20 </FontName>
21 <FontSize>
22 12
23 </FontSize>
24 <MultilineTabs>
25 true
26 </MultilineTabs>
27 <Theme>
28 Office 2019 Black
29 </Theme>
30 </Settings>
A public copy of this exact TLE_settings.xml file is hosted on Andrew Rathbun’s GitHub here¹⁶³.
¹⁶³https://github.com/AndrewRathbun/TimelineExplorerSettings
DateTimeFormat
It is very important that the .fffffff values are added to this whether in the Timeline Explorer GUI
or directly into the XML file itself. Without these subseconds enabled, it will be impossible to detect
timestomping¹⁶⁴ within MFTECmd output or leverage more precise timestamps that other EZ Tools
provide.
Timeline Explorer Layout Files
What Are Layout Files?

Layout files are located at .\ZimmermanTools\net6\TimelineExplorer\Layouts\Default which
provide the default layouts for output that’s supported with a Plugin. If you move columns
around, hide columns, or anything else, those preferences will be stored in layout files
with the .layout.local file extension. If you ever want to revert to the default, delete
your .layout.local files and Timeline Explorer will revert to the .layout files within the
.\ZimmermanTools\net6\TimelineExplorer\Layouts\Default directory.
¹⁶⁴https://www.kroll.com/en/insights/publications/cyber/anti-forensic-tactics/anti-forensics-tactics-timestomping
Timeline Explorer Plugins

Plugins are written in C# (as are all of Eric’s tools) which aim to provide better support for ingested
CSV output.
Expected Headers
Each Plugin looks for headers within CSV output so it can know that a plugin matches with the tool
output being ingested.
Why does Timeline Explorer need plugins?
It doesn’t NEED plugins but plugins will allow for a better experience when dealing with supported
tool output.
For instance, here¹⁶⁵ is an excerpt from the EZ Tools plugin where the plugin is looking for certain
headers within the CSV in order to ingest the output properly:
ExpectedHeaders = new HashSet<string>(StringComparer.OrdinalIgnoreCase)

{
"entrynumber,sequencenumber,inuse,parententrynumber,parentsequencenumber,par
th,filename,extension,filesize,referencecount,reparsetarget,isdirectory,hasads,isads\
,si<fn,useczeros,copied,siflags,nametype,created0x10,created0x30,lastmodified0x10,la\
stmodified0x30,lastrecordchange0x10,lastrecordchange0x30,lastaccess0x10,lastaccess0x\
30,updatesequencenumber,logfilesequencenumber,securityid,objectidfiledroid,loggeduti\
lstream,zoneidcontents"
};
¹⁶⁵https://github.com/EricZimmerman/TLEFilePlugins/blob/13055b37b5880c131e1cf6ae4d5ff1a57a537467/TLEFileEZTools/EZTools.cs#
L368
Ingesting CSVs That Don’t Have Plugin Support

If there are no headers that match, then Timeline Explorer will default to the GenericCSV plugin,
which can be found here¹⁶⁶. Effectively, this plugin will treat every value as a string, regardless of
whether it’s a True/False value, a timestamp, etc.
Examples of Benefits of Timeline Explorer Plugins

Here we will cover a few key examples of what value plugins provide to Timeline Explorer and
supported output.
Checkboxes
Excel is unable render checkboxes for True/False values when dealing with MFTECmd output.
MFTECmd’s InUse column in Excel
Timeline Explorer will render the True/False values as a checkbox.
MFTECmd’s InUse column in Timeline Explorer
Timestamp Column Filters, Part 1
Excel is unable to handle the values within MFTECmd output (and other EZ Tools’ output) without
input from the user.
¹⁶⁶https://github.com/EricZimmerman/TLEFilePlugins/tree/master/TLEFileGenericCsv
MFTECmd’s timestamp columns in Excel
When converting the timestamp manually in Excel to the specified format, it works, but why do
all of that work? Timeline Explorer displays each timestamp as a DateTime object and allow the
examiner to digest the data quicker.
MFTECmd’s timestamp columns in Timeline Explorer

Timestamp Column Filters, Part 2
Now that we’ve established the power of plugins for timestamp values, let’s further demonstrate the
power of a plugin that’s catered towards a specific tool’s output compared to the GenericCsv plugin.
By removing the TLEFileEZTools.dll prior to ingesting MFTECmd output, we can see that Timeline
Explorer won’t know to convert the values within the timestamp-specific columns to DateTime
objects.
MFTECmd’s timestamps displayed as strings
To reproduce the above example, remove the .\TimelineExplorer\Plugins\TLEFileEZTools.dll

file prior to opening Timeline Explorer and ingest output from the most current version of
MFTECmd.
When we leverage the plugin built for EZ Tools output, we can see what value Timeline Explorer
provides.
MFTECmd’s timestamps displayed as DateTime objects
The above provides a much more user friendly method of filtering on years, months, and days when
conducting analysis.
Timeline Explorer References
Blog Posts
Official Blog Posts
• Introducing Timeline Explorer v0.4.0.0¹⁶⁷

• Timeline Explorer 0.5.0.0 released¹⁶⁸
• Timeline Explorer 0.6.0 released!¹⁶⁹
part)¹⁷⁰
• A fluery of updates!¹⁷¹
• Everything gets an update, Sept 2018 edition¹⁷²
Community Resources
• AboutDFIR - Timeline Explorer¹⁷³

• Episode 87: Introducing and Using Timeline Explorer¹⁷⁴
Download Timeline Explorer

Timeline Explorer can be downloaded from https://ericzimmerman.github.io/#!index.md
¹⁶⁷https://binaryforay.blogspot.com/2017/04/introducing-timeline-explorer-v0400.html
¹⁶⁸https://binaryforay.blogspot.com/2017/05/timeline-explorer-0500-released.html
¹⁶⁹https://binaryforay.blogspot.com/2017/10/timeline-explorer-060-released.html>
¹⁷⁰https://binaryforay.blogspot.com/2018/03/updates-to-left-of-me-updates-to-right.html
¹⁷¹https://binaryforay.blogspot.com/2018/05/a-fluery-of-updates.html
¹⁷²https://binaryforay.blogspot.com/2018/09/everything-gets-update-sept-2018-edition.html
¹⁷³https://aboutdfir.com/toolsandartifacts/windows/timeline-explorer
¹⁷⁴https://www.youtube.com/watch?v=Hy8ZIc86tCo
XWFIM
XWFIM is a tool created by Eric Zimmerman that assists with installing and managing a local
instance of X-Ways¹⁷⁵. XWFIM allows examiners to download everything necessary to begin using
X-Ways Forensics (including BYOD) or X-Ways Investigator in a few clicks.
XWFIM also provides tooltips for X-Ways to leverage. These can be found by hovering the cursor
over each option within X-Ways.
¹⁷⁵https://www.x-ways.net/
XWFIM 369
Using XWFIM
XWFIM provides many features to assist with installing, managing, and verifying a local installation
of X-Ways.
XWFIM 370
X-Ways Credentials
Prior to using XWFIM, one must have valid credentials to download X-Ways using XWFIM.
XWFIM 371
Once valid credentials are entered, XWFIM will provide a prompt similar to below.
Typical Installation
Installing X-Ways Forensics can be done following the steps below.
First, select the desired version using the dropdown, as seen below.
XWFIM 372
Once a version is selected, ensure the install directory and X-Ways folder name are populated and
hit Install.
Once the installation is complete, XWFIM will display a prompt similar to below.
XWFIM 373
Portable Installation
To create a portable installation of X-Ways using XWFIM, select the Tools -> Create portable
installation feature. Please note, if you try to do this without having executed X-Ways successfully on
the host system, a similar error message will likely display: WinHex.cfg is missing from 'C:\xwf'.
Open X-Ways at least once to create it and try again. Aborting...
With a USB flash drive plugged in, one will see all attached USB flash drives available to create the
portable installation on.
XWFIM 374
Selecting the E:\ as the destination, a progress window will emerge once the Create button is pushed.
XWFIM 375
When complete, a similar window will display.

XWFIM 376
On the destination USB flash drive, one can see similar files to what can be found in C:\xwf from
the previous example.
XWFIM 377
Verifying Installation
XWFIM can verify a local installation of X-Ways using the Tools -> Verify installation feature. First,
specify which directory for XWFIM to verify the installation of. In this example, we’ll use the C:\xwf
directory as shown in previous screenshots.
XWFIM 378
Once a directory is specified, choose whether or not a log file should be generated and hit Verify.
Generating a log file will output the same data in the above screenshot to an .XLSX file.
XWFIM 379
XWFIM Status Messages

Below is an example of status messages that XWFIM displays during the installation process.
Message Date Message

11/18/2022 20:14:44 Installation complete. Be sure to configure/verify the appropria\
te settings in Options | General and Options | Viewer Programs
11/18/2022 20:14:42 Generating validation data...
11/18/2022 20:14:42 Copying manual to 'C:\xwf'
11/18/2022 20:14:39 Unzipping Tesseract to 'C:\xwf'
11/18/2022 20:14:38 Unzipping MPlayer to 'C:\xwf'
11/18/2022 20:14:36 Unzipping viewer to 'C:\xwf'
11/18/2022 20:14:35 Unzipping X-Ways Forensics to 'C:\xwf'
11/18/2022 20:14:35 'WinHex.cfg' not found in 'C:\xwf'. Skipping
11/18/2022 20:14:34 Downloading manual
11/18/2022 20:14:23 Downloading Tesseract
11/18/2022 20:14:20 Downloading MPlayer
11/18/2022 20:14:14 Downloading viewer
11/18/2022 20:14:10 Downloading X-Ways Forensics version 20.7
11/18/2022 20:13:23 Local install version missing. Selecting current release version
11/18/2022 20:13:23 Current release version is 20.7 which was last modified on 11/15\
/2022 17:41:34 +00:00
11/18/2022 20:13:23 Found 18 versions of X-Ways Forensics
11/18/2022 20:11:12 XWFIM - X-Ways Forensics Installation Manager v2.1.0.0 initializ\
ing
XWFIM References
Download XWFIM
XWFIM can be downloaded from https://ericzimmerman.github.io/#!index.md
Errata
Reporting Errata
If you think you’ve found an error relating to spelling, grammar, or anything else that’s currently
holding this book back from being the best it can be, please visit the book’s GitHub repository¹⁷⁶ and
create an Issue detailing the error you’ve found. Anyone is also welcome to submit a Pull Request
with new content, fixes, changes, etc.
¹⁷⁶https://github.com/EZToolsManuals/EZToolsManuals/issues

Eric Zimmerman Tools

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Eric Zimmerman Tools

Uploaded by

Copyright:

Available Formats

EZ Tools Manuals

Andrew Rathbun and Eric Zimmerman

This version was published on 2022-12-03

© 2022 Andrew Rathbun and Eric Zimmerman

Enabling Update Notifications on Leanpub . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

EZ Tools - Common Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

EZ Tools - PowerShell vs CMD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

MFTECmd References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

SBECmd References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

EZ Tools - GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

JumpList Explorer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

MFT Explorer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

Registry Explorer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

SDB Explorer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290

Shellbags Explorer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293

Timeline Explorer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338

Timeline Explorer Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339

.NET 4 vs .NET 6 EZ Tools

What is this book?

Content by Eric Zimmerman

Content by the DFIR Community about EZ Tools

Use -f to point the tool to a single file to be parsed.

.\LECmd.exe -d C:\temp\LNKFiles --csv C:\temp\LNKFiles\output

.\LECmd.exe -d C:\temp\LNKFiles --csv C:\temp\LNKFiles\output --csvf LNKFileOutput.csv

.\LECmd.exe -d C:\temp\LNKFiles --xml C:\temp\LNKFiles\output

.\LECmd.exe -d C:\temp\LNKFiles --html C:\temp\LNKFiles\output

.\LECmd.exe -d C:\temp\LNKFiles --json C:\temp\LNKFiles\output

.\LECmd.exe -d C:\temp\LNKFiles --json C:\temp\LNKFiles\output --pretty

Here is an example of a correct command using PowerShell:

You will notice a difference in the colors

AmcacheParser Use Cases

Author: Eric Zimmerman (saericzimmerman@gmail.com)

Examples: AmcacheParser.exe -f "C:\Temp\amcache\AmcacheWin10.hve" --csv C:\temp

This switch will instruct AmcacheParser to include output for ProgramEntries.

File Key Last Write Timestamp

Running .\AmcacheParser.exe -f "D:\DFIRArtifactMuseum\Windows\Amcache\Win10\APTSimulatorVM\Amcache.hv

File Key Last Write Timestamp

AmcacheParser Command Examples

Example AmcacheParser Commands

Parse an Amcache.hve File and Output to CSV

AmcacheParser.exe -f "C:\Temp\amcache\AmcacheWin10.hve" --csv C:\temp

Parse an Amcache.hve file and Output to CSV (specified filename) with

AmcacheParser.exe -f "C:\Temp\amcache\AmcacheWin10.hve" -i on --csv C:\temp --csvf f\

AmcacheParser.exe -f "C:\Temp\amcache\AmcacheWin10.hve" -w "c:\temp\whitelist.txt" -\

Analyzing AmcacheParser Output - CSV

AmcacheParser will produce the following CSVs:

%timestamp% will look something similar to this: 20220904032628

AmcacheParser Key Takeaways

Important Data Points

Associated GitHub Repositories

Official Blog Posts

Blog posts from Eric Zimmerman’s blog, Binary Foray:

• Locked file support added to AmcacheParser, AppCompatCacheParser, MFTECmd, ShellBags

Amcache Sample Data

AppCompatCacheParser Use Cases

Author: Eric Zimmerman (saericzimmerman@gmail.com)

Examples: AppCompatCacheParser.exe --csv c:\temp -t -c 2

1 Found 1,024 cache entries for Windows10Creators in ControlSet001

1 Two transaction logs found. Determining primary log...

Below is an example of ignoring transaction logs:

AppCompatCacheParser Command Examples

Example AppCompatCacheParser Commands

AppCompatCacheParser.exe --csv c:\temp -c 2

AppCompatCacheParser.exe --csv c:\temp --csvf results.csv